Coverage Report

Created: 2024-07-27 06:35

/src/openssl/ssl/t1_lib.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
#include <stdio.h>
11
#include <stdlib.h>
12
#include <openssl/objects.h>
13
#include <openssl/evp.h>
14
#include <openssl/hmac.h>
15
#include <openssl/core_names.h>
16
#include <openssl/ocsp.h>
17
#include <openssl/conf.h>
18
#include <openssl/x509v3.h>
19
#include <openssl/dh.h>
20
#include <openssl/bn.h>
21
#include <openssl/provider.h>
22
#include <openssl/param_build.h>
23
#include "internal/nelem.h"
24
#include "internal/sizes.h"
25
#include "internal/tlsgroups.h"
26
#include "ssl_local.h"
27
#include "quic/quic_local.h"
28
#include <openssl/ct.h>
29
30
static const SIGALG_LOOKUP *find_sig_alg(SSL_CONNECTION *s, X509 *x, EVP_PKEY *pkey);
31
static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, const SIGALG_LOOKUP *lu);
32
33
SSL3_ENC_METHOD const TLSv1_enc_data = {
34
    tls1_setup_key_block,
35
    tls1_generate_master_secret,
36
    tls1_change_cipher_state,
37
    tls1_final_finish_mac,
38
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
39
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
40
    tls1_alert_code,
41
    tls1_export_keying_material,
42
    0,
43
    ssl3_set_handshake_header,
44
    tls_close_construct_packet,
45
    ssl3_handshake_write
46
};
47
48
SSL3_ENC_METHOD const TLSv1_1_enc_data = {
49
    tls1_setup_key_block,
50
    tls1_generate_master_secret,
51
    tls1_change_cipher_state,
52
    tls1_final_finish_mac,
53
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
54
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
55
    tls1_alert_code,
56
    tls1_export_keying_material,
57
    0,
58
    ssl3_set_handshake_header,
59
    tls_close_construct_packet,
60
    ssl3_handshake_write
61
};
62
63
SSL3_ENC_METHOD const TLSv1_2_enc_data = {
64
    tls1_setup_key_block,
65
    tls1_generate_master_secret,
66
    tls1_change_cipher_state,
67
    tls1_final_finish_mac,
68
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
69
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
70
    tls1_alert_code,
71
    tls1_export_keying_material,
72
    SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
73
        | SSL_ENC_FLAG_TLS1_2_CIPHERS,
74
    ssl3_set_handshake_header,
75
    tls_close_construct_packet,
76
    ssl3_handshake_write
77
};
78
79
SSL3_ENC_METHOD const TLSv1_3_enc_data = {
80
    tls13_setup_key_block,
81
    tls13_generate_master_secret,
82
    tls13_change_cipher_state,
83
    tls13_final_finish_mac,
84
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
85
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
86
    tls13_alert_code,
87
    tls13_export_keying_material,
88
    SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
89
    ssl3_set_handshake_header,
90
    tls_close_construct_packet,
91
    ssl3_handshake_write
92
};
93
94
OSSL_TIME tls1_default_timeout(void)
95
0
{
96
    /*
97
     * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
98
     * http, the cache would over fill
99
     */
100
0
    return ossl_seconds2time(60 * 60 * 2);
101
0
}
102
103
int tls1_new(SSL *s)
104
0
{
105
0
    if (!ssl3_new(s))
106
0
        return 0;
107
0
    if (!s->method->ssl_clear(s))
108
0
        return 0;
109
110
0
    return 1;
111
0
}
112
113
void tls1_free(SSL *s)
114
0
{
115
0
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
116
117
0
    if (sc == NULL)
118
0
        return;
119
120
0
    OPENSSL_free(sc->ext.session_ticket);
121
0
    ssl3_free(s);
122
0
}
123
124
int tls1_clear(SSL *s)
125
0
{
126
0
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
127
128
0
    if (sc == NULL)
129
0
        return 0;
130
131
0
    if (!ssl3_clear(s))
132
0
        return 0;
133
134
0
    if (s->method->version == TLS_ANY_VERSION)
135
0
        sc->version = TLS_MAX_VERSION_INTERNAL;
136
0
    else
137
0
        sc->version = s->method->version;
138
139
0
    return 1;
140
0
}
141
142
/* Legacy NID to group_id mapping. Only works for groups we know about */
143
static const struct {
144
    int nid;
145
    uint16_t group_id;
146
} nid_to_group[] = {
147
    {NID_sect163k1, OSSL_TLS_GROUP_ID_sect163k1},
148
    {NID_sect163r1, OSSL_TLS_GROUP_ID_sect163r1},
149
    {NID_sect163r2, OSSL_TLS_GROUP_ID_sect163r2},
150
    {NID_sect193r1, OSSL_TLS_GROUP_ID_sect193r1},
151
    {NID_sect193r2, OSSL_TLS_GROUP_ID_sect193r2},
152
    {NID_sect233k1, OSSL_TLS_GROUP_ID_sect233k1},
153
    {NID_sect233r1, OSSL_TLS_GROUP_ID_sect233r1},
154
    {NID_sect239k1, OSSL_TLS_GROUP_ID_sect239k1},
155
    {NID_sect283k1, OSSL_TLS_GROUP_ID_sect283k1},
156
    {NID_sect283r1, OSSL_TLS_GROUP_ID_sect283r1},
157
    {NID_sect409k1, OSSL_TLS_GROUP_ID_sect409k1},
158
    {NID_sect409r1, OSSL_TLS_GROUP_ID_sect409r1},
159
    {NID_sect571k1, OSSL_TLS_GROUP_ID_sect571k1},
160
    {NID_sect571r1, OSSL_TLS_GROUP_ID_sect571r1},
161
    {NID_secp160k1, OSSL_TLS_GROUP_ID_secp160k1},
162
    {NID_secp160r1, OSSL_TLS_GROUP_ID_secp160r1},
163
    {NID_secp160r2, OSSL_TLS_GROUP_ID_secp160r2},
164
    {NID_secp192k1, OSSL_TLS_GROUP_ID_secp192k1},
165
    {NID_X9_62_prime192v1, OSSL_TLS_GROUP_ID_secp192r1},
166
    {NID_secp224k1, OSSL_TLS_GROUP_ID_secp224k1},
167
    {NID_secp224r1, OSSL_TLS_GROUP_ID_secp224r1},
168
    {NID_secp256k1, OSSL_TLS_GROUP_ID_secp256k1},
169
    {NID_X9_62_prime256v1, OSSL_TLS_GROUP_ID_secp256r1},
170
    {NID_secp384r1, OSSL_TLS_GROUP_ID_secp384r1},
171
    {NID_secp521r1, OSSL_TLS_GROUP_ID_secp521r1},
172
    {NID_brainpoolP256r1, OSSL_TLS_GROUP_ID_brainpoolP256r1},
173
    {NID_brainpoolP384r1, OSSL_TLS_GROUP_ID_brainpoolP384r1},
174
    {NID_brainpoolP512r1, OSSL_TLS_GROUP_ID_brainpoolP512r1},
175
    {EVP_PKEY_X25519, OSSL_TLS_GROUP_ID_x25519},
176
    {EVP_PKEY_X448, OSSL_TLS_GROUP_ID_x448},
177
    {NID_brainpoolP256r1tls13, OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13},
178
    {NID_brainpoolP384r1tls13, OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13},
179
    {NID_brainpoolP512r1tls13, OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13},
180
    {NID_id_tc26_gost_3410_2012_256_paramSetA, OSSL_TLS_GROUP_ID_gc256A},
181
    {NID_id_tc26_gost_3410_2012_256_paramSetB, OSSL_TLS_GROUP_ID_gc256B},
182
    {NID_id_tc26_gost_3410_2012_256_paramSetC, OSSL_TLS_GROUP_ID_gc256C},
183
    {NID_id_tc26_gost_3410_2012_256_paramSetD, OSSL_TLS_GROUP_ID_gc256D},
184
    {NID_id_tc26_gost_3410_2012_512_paramSetA, OSSL_TLS_GROUP_ID_gc512A},
185
    {NID_id_tc26_gost_3410_2012_512_paramSetB, OSSL_TLS_GROUP_ID_gc512B},
186
    {NID_id_tc26_gost_3410_2012_512_paramSetC, OSSL_TLS_GROUP_ID_gc512C},
187
    {NID_ffdhe2048, OSSL_TLS_GROUP_ID_ffdhe2048},
188
    {NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072},
189
    {NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096},
190
    {NID_ffdhe6144, OSSL_TLS_GROUP_ID_ffdhe6144},
191
    {NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192}
192
};
193
194
static const unsigned char ecformats_default[] = {
195
    TLSEXT_ECPOINTFORMAT_uncompressed,
196
    TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
197
    TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
198
};
199
200
/* The default curves */
201
static const uint16_t supported_groups_default[] = {
202
    OSSL_TLS_GROUP_ID_x25519,        /* X25519 (29) */
203
    OSSL_TLS_GROUP_ID_secp256r1,     /* secp256r1 (23) */
204
    OSSL_TLS_GROUP_ID_x448,          /* X448 (30) */
205
    OSSL_TLS_GROUP_ID_secp521r1,     /* secp521r1 (25) */
206
    OSSL_TLS_GROUP_ID_secp384r1,     /* secp384r1 (24) */
207
    OSSL_TLS_GROUP_ID_gc256A,        /* GC256A (34) */
208
    OSSL_TLS_GROUP_ID_gc256B,        /* GC256B (35) */
209
    OSSL_TLS_GROUP_ID_gc256C,        /* GC256C (36) */
210
    OSSL_TLS_GROUP_ID_gc256D,        /* GC256D (37) */
211
    OSSL_TLS_GROUP_ID_gc512A,        /* GC512A (38) */
212
    OSSL_TLS_GROUP_ID_gc512B,        /* GC512B (39) */
213
    OSSL_TLS_GROUP_ID_gc512C,        /* GC512C (40) */
214
    OSSL_TLS_GROUP_ID_ffdhe2048,     /* ffdhe2048 (0x100) */
215
    OSSL_TLS_GROUP_ID_ffdhe3072,     /* ffdhe3072 (0x101) */
216
    OSSL_TLS_GROUP_ID_ffdhe4096,     /* ffdhe4096 (0x102) */
217
    OSSL_TLS_GROUP_ID_ffdhe6144,     /* ffdhe6144 (0x103) */
218
    OSSL_TLS_GROUP_ID_ffdhe8192,     /* ffdhe8192 (0x104) */
219
};
220
221
static const uint16_t suiteb_curves[] = {
222
    OSSL_TLS_GROUP_ID_secp256r1,
223
    OSSL_TLS_GROUP_ID_secp384r1,
224
};
225
226
struct provider_ctx_data_st {
227
    SSL_CTX *ctx;
228
    OSSL_PROVIDER *provider;
229
};
230
231
54.9k
#define TLS_GROUP_LIST_MALLOC_BLOCK_SIZE        10
232
static OSSL_CALLBACK add_provider_groups;
233
static int add_provider_groups(const OSSL_PARAM params[], void *data)
234
242k
{
235
242k
    struct provider_ctx_data_st *pgd = data;
236
242k
    SSL_CTX *ctx = pgd->ctx;
237
242k
    OSSL_PROVIDER *provider = pgd->provider;
238
242k
    const OSSL_PARAM *p;
239
242k
    TLS_GROUP_INFO *ginf = NULL;
240
242k
    EVP_KEYMGMT *keymgmt;
241
242k
    unsigned int gid;
242
242k
    unsigned int is_kem = 0;
243
242k
    int ret = 0;
244
245
242k
    if (ctx->group_list_max_len == ctx->group_list_len) {
246
27.4k
        TLS_GROUP_INFO *tmp = NULL;
247
248
27.4k
        if (ctx->group_list_max_len == 0)
249
4.58k
            tmp = OPENSSL_malloc(sizeof(TLS_GROUP_INFO)
250
27.4k
                                 * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE);
251
22.9k
        else
252
22.9k
            tmp = OPENSSL_realloc(ctx->group_list,
253
27.4k
                                  (ctx->group_list_max_len
254
27.4k
                                   + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE)
255
27.4k
                                  * sizeof(TLS_GROUP_INFO));
256
27.4k
        if (tmp == NULL)
257
0
            return 0;
258
27.4k
        ctx->group_list = tmp;
259
27.4k
        memset(tmp + ctx->group_list_max_len,
260
27.4k
               0,
261
27.4k
               sizeof(TLS_GROUP_INFO) * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE);
262
27.4k
        ctx->group_list_max_len += TLS_GROUP_LIST_MALLOC_BLOCK_SIZE;
263
27.4k
    }
264
265
242k
    ginf = &ctx->group_list[ctx->group_list_len];
266
267
242k
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME);
268
242k
    if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) {
269
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
270
0
        goto err;
271
0
    }
272
242k
    ginf->tlsname = OPENSSL_strdup(p->data);
273
242k
    if (ginf->tlsname == NULL)
274
0
        goto err;
275
276
242k
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL);
277
242k
    if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) {
278
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
279
0
        goto err;
280
0
    }
281
242k
    ginf->realname = OPENSSL_strdup(p->data);
282
242k
    if (ginf->realname == NULL)
283
0
        goto err;
284
285
242k
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ID);
286
242k
    if (p == NULL || !OSSL_PARAM_get_uint(p, &gid) || gid > UINT16_MAX) {
287
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
288
0
        goto err;
289
0
    }
290
242k
    ginf->group_id = (uint16_t)gid;
291
292
242k
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ALG);
293
242k
    if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) {
294
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
295
0
        goto err;
296
0
    }
297
242k
    ginf->algorithm = OPENSSL_strdup(p->data);
298
242k
    if (ginf->algorithm == NULL)
299
0
        goto err;
300
301
242k
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS);
302
242k
    if (p == NULL || !OSSL_PARAM_get_uint(p, &ginf->secbits)) {
303
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
304
0
        goto err;
305
0
    }
306
307
242k
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_IS_KEM);
308
242k
    if (p != NULL && (!OSSL_PARAM_get_uint(p, &is_kem) || is_kem > 1)) {
309
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
310
0
        goto err;
311
0
    }
312
242k
    ginf->is_kem = 1 & is_kem;
313
314
242k
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_TLS);
315
242k
    if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mintls)) {
316
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
317
0
        goto err;
318
0
    }
319
320
242k
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS);
321
242k
    if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxtls)) {
322
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
323
0
        goto err;
324
0
    }
325
326
242k
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS);
327
242k
    if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mindtls)) {
328
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
329
0
        goto err;
330
0
    }
331
332
242k
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS);
333
242k
    if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxdtls)) {
334
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
335
0
        goto err;
336
0
    }
337
    /*
338
     * Now check that the algorithm is actually usable for our property query
339
     * string. Regardless of the result we still return success because we have
340
     * successfully processed this group, even though we may decide not to use
341
     * it.
342
     */
343
242k
    ret = 1;
344
242k
    ERR_set_mark();
345
242k
    keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq);
346
242k
    if (keymgmt != NULL) {
347
        /*
348
         * We have successfully fetched the algorithm - however if the provider
349
         * doesn't match this one then we ignore it.
350
         *
351
         * Note: We're cheating a little here. Technically if the same algorithm
352
         * is available from more than one provider then it is undefined which
353
         * implementation you will get back. Theoretically this could be
354
         * different every time...we assume here that you'll always get the
355
         * same one back if you repeat the exact same fetch. Is this a reasonable
356
         * assumption to make (in which case perhaps we should document this
357
         * behaviour)?
358
         */
359
242k
        if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) {
360
            /* We have a match - so we will use this group */
361
242k
            ctx->group_list_len++;
362
242k
            ginf = NULL;
363
242k
        }
364
242k
        EVP_KEYMGMT_free(keymgmt);
365
242k
    }
366
242k
    ERR_pop_to_mark();
367
242k
 err:
368
242k
    if (ginf != NULL) {
369
0
        OPENSSL_free(ginf->tlsname);
370
0
        OPENSSL_free(ginf->realname);
371
0
        OPENSSL_free(ginf->algorithm);
372
0
        ginf->algorithm = ginf->tlsname = ginf->realname = NULL;
373
0
    }
374
242k
    return ret;
375
242k
}
376
377
static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx)
378
9.16k
{
379
9.16k
    struct provider_ctx_data_st pgd;
380
381
9.16k
    pgd.ctx = vctx;
382
9.16k
    pgd.provider = provider;
383
9.16k
    return OSSL_PROVIDER_get_capabilities(provider, "TLS-GROUP",
384
9.16k
                                          add_provider_groups, &pgd);
385
9.16k
}
386
387
int ssl_load_groups(SSL_CTX *ctx)
388
4.58k
{
389
4.58k
    size_t i, j, num_deflt_grps = 0;
390
4.58k
    uint16_t tmp_supp_groups[OSSL_NELEM(supported_groups_default)];
391
392
4.58k
    if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx))
393
0
        return 0;
394
395
82.4k
    for (i = 0; i < OSSL_NELEM(supported_groups_default); i++) {
396
3.81M
        for (j = 0; j < ctx->group_list_len; j++) {
397
3.78M
            if (ctx->group_list[j].group_id == supported_groups_default[i]) {
398
45.8k
                tmp_supp_groups[num_deflt_grps++] = ctx->group_list[j].group_id;
399
45.8k
                break;
400
45.8k
            }
401
3.78M
        }
402
77.8k
    }
403
404
4.58k
    if (num_deflt_grps == 0)
405
0
        return 1;
406
407
4.58k
    ctx->ext.supported_groups_default
408
4.58k
        = OPENSSL_malloc(sizeof(uint16_t) * num_deflt_grps);
409
410
4.58k
    if (ctx->ext.supported_groups_default == NULL)
411
0
        return 0;
412
413
4.58k
    memcpy(ctx->ext.supported_groups_default,
414
4.58k
           tmp_supp_groups,
415
4.58k
           num_deflt_grps * sizeof(tmp_supp_groups[0]));
416
4.58k
    ctx->ext.supported_groups_default_len = num_deflt_grps;
417
418
4.58k
    return 1;
419
4.58k
}
420
421
0
#define TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE        10
422
static OSSL_CALLBACK add_provider_sigalgs;
423
static int add_provider_sigalgs(const OSSL_PARAM params[], void *data)
424
0
{
425
0
    struct provider_ctx_data_st *pgd = data;
426
0
    SSL_CTX *ctx = pgd->ctx;
427
0
    OSSL_PROVIDER *provider = pgd->provider;
428
0
    const OSSL_PARAM *p;
429
0
    TLS_SIGALG_INFO *sinf = NULL;
430
0
    EVP_KEYMGMT *keymgmt;
431
0
    const char *keytype;
432
0
    unsigned int code_point = 0;
433
0
    int ret = 0;
434
435
0
    if (ctx->sigalg_list_max_len == ctx->sigalg_list_len) {
436
0
        TLS_SIGALG_INFO *tmp = NULL;
437
438
0
        if (ctx->sigalg_list_max_len == 0)
439
0
            tmp = OPENSSL_malloc(sizeof(TLS_SIGALG_INFO)
440
0
                                 * TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE);
441
0
        else
442
0
            tmp = OPENSSL_realloc(ctx->sigalg_list,
443
0
                                  (ctx->sigalg_list_max_len
444
0
                                   + TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE)
445
0
                                  * sizeof(TLS_SIGALG_INFO));
446
0
        if (tmp == NULL)
447
0
            return 0;
448
0
        ctx->sigalg_list = tmp;
449
0
        memset(tmp + ctx->sigalg_list_max_len, 0,
450
0
               sizeof(TLS_SIGALG_INFO) * TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE);
451
0
        ctx->sigalg_list_max_len += TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE;
452
0
    }
453
454
0
    sinf = &ctx->sigalg_list[ctx->sigalg_list_len];
455
456
    /* First, mandatory parameters */
457
0
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_NAME);
458
0
    if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) {
459
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
460
0
        goto err;
461
0
    }
462
0
    OPENSSL_free(sinf->sigalg_name);
463
0
    sinf->sigalg_name = OPENSSL_strdup(p->data);
464
0
    if (sinf->sigalg_name == NULL)
465
0
        goto err;
466
467
0
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_IANA_NAME);
468
0
    if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) {
469
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
470
0
        goto err;
471
0
    }
472
0
    OPENSSL_free(sinf->name);
473
0
    sinf->name = OPENSSL_strdup(p->data);
474
0
    if (sinf->name == NULL)
475
0
        goto err;
476
477
0
    p = OSSL_PARAM_locate_const(params,
478
0
                                OSSL_CAPABILITY_TLS_SIGALG_CODE_POINT);
479
0
    if (p == NULL
480
0
        || !OSSL_PARAM_get_uint(p, &code_point)
481
0
        || code_point > UINT16_MAX) {
482
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
483
0
        goto err;
484
0
    }
485
0
    sinf->code_point = (uint16_t)code_point;
486
487
0
    p = OSSL_PARAM_locate_const(params,
488
0
                                OSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS);
489
0
    if (p == NULL || !OSSL_PARAM_get_uint(p, &sinf->secbits)) {
490
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
491
0
        goto err;
492
0
    }
493
494
    /* Now, optional parameters */
495
0
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_OID);
496
0
    if (p == NULL) {
497
0
        sinf->sigalg_oid = NULL;
498
0
    } else if (p->data_type != OSSL_PARAM_UTF8_STRING) {
499
0
        goto err;
500
0
    } else {
501
0
        OPENSSL_free(sinf->sigalg_oid);
502
0
        sinf->sigalg_oid = OPENSSL_strdup(p->data);
503
0
        if (sinf->sigalg_oid == NULL)
504
0
            goto err;
505
0
    }
506
507
0
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_SIG_NAME);
508
0
    if (p == NULL) {
509
0
        sinf->sig_name = NULL;
510
0
    } else if (p->data_type != OSSL_PARAM_UTF8_STRING) {
511
0
        goto err;
512
0
    } else {
513
0
        OPENSSL_free(sinf->sig_name);
514
0
        sinf->sig_name = OPENSSL_strdup(p->data);
515
0
        if (sinf->sig_name == NULL)
516
0
            goto err;
517
0
    }
518
519
0
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_SIG_OID);
520
0
    if (p == NULL) {
521
0
        sinf->sig_oid = NULL;
522
0
    } else if (p->data_type != OSSL_PARAM_UTF8_STRING) {
523
0
        goto err;
524
0
    } else {
525
0
        OPENSSL_free(sinf->sig_oid);
526
0
        sinf->sig_oid = OPENSSL_strdup(p->data);
527
0
        if (sinf->sig_oid == NULL)
528
0
            goto err;
529
0
    }
530
531
0
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_HASH_NAME);
532
0
    if (p == NULL) {
533
0
        sinf->hash_name = NULL;
534
0
    } else if (p->data_type != OSSL_PARAM_UTF8_STRING) {
535
0
        goto err;
536
0
    } else {
537
0
        OPENSSL_free(sinf->hash_name);
538
0
        sinf->hash_name = OPENSSL_strdup(p->data);
539
0
        if (sinf->hash_name == NULL)
540
0
            goto err;
541
0
    }
542
543
0
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_HASH_OID);
544
0
    if (p == NULL) {
545
0
        sinf->hash_oid = NULL;
546
0
    } else if (p->data_type != OSSL_PARAM_UTF8_STRING) {
547
0
        goto err;
548
0
    } else {
549
0
        OPENSSL_free(sinf->hash_oid);
550
0
        sinf->hash_oid = OPENSSL_strdup(p->data);
551
0
        if (sinf->hash_oid == NULL)
552
0
            goto err;
553
0
    }
554
555
0
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE);
556
0
    if (p == NULL) {
557
0
        sinf->keytype = NULL;
558
0
    } else if (p->data_type != OSSL_PARAM_UTF8_STRING) {
559
0
        goto err;
560
0
    } else {
561
0
        OPENSSL_free(sinf->keytype);
562
0
        sinf->keytype = OPENSSL_strdup(p->data);
563
0
        if (sinf->keytype == NULL)
564
0
            goto err;
565
0
    }
566
567
0
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID);
568
0
    if (p == NULL) {
569
0
        sinf->keytype_oid = NULL;
570
0
    } else if (p->data_type != OSSL_PARAM_UTF8_STRING) {
571
0
        goto err;
572
0
    } else {
573
0
        OPENSSL_free(sinf->keytype_oid);
574
0
        sinf->keytype_oid = OPENSSL_strdup(p->data);
575
0
        if (sinf->keytype_oid == NULL)
576
0
            goto err;
577
0
    }
578
579
    /* The remaining parameters below are mandatory again */
580
0
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MIN_TLS);
581
0
    if (p == NULL || !OSSL_PARAM_get_int(p, &sinf->mintls)) {
582
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
583
0
        goto err;
584
0
    }
585
0
    if ((sinf->mintls != 0) && (sinf->mintls != -1) &&
586
0
        ((sinf->mintls < TLS1_3_VERSION))) {
587
        /* ignore this sigalg as this OpenSSL doesn't know how to handle it */
588
0
        ret = 1;
589
0
        goto err;
590
0
    }
591
592
0
    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_MAX_TLS);
593
0
    if (p == NULL || !OSSL_PARAM_get_int(p, &sinf->maxtls)) {
594
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
595
0
        goto err;
596
0
    }
597
0
    if ((sinf->maxtls != 0) && (sinf->maxtls != -1) &&
598
0
        ((sinf->maxtls < sinf->mintls))) {
599
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
600
0
        goto err;
601
0
    }
602
0
    if ((sinf->maxtls != 0) && (sinf->maxtls != -1) &&
603
0
        ((sinf->maxtls < TLS1_3_VERSION))) {
604
        /* ignore this sigalg as this OpenSSL doesn't know how to handle it */
605
0
        ret = 1;
606
0
        goto err;
607
0
    }
608
609
    /*
610
     * Now check that the algorithm is actually usable for our property query
611
     * string. Regardless of the result we still return success because we have
612
     * successfully processed this signature, even though we may decide not to
613
     * use it.
614
     */
615
0
    ret = 1;
616
0
    ERR_set_mark();
617
0
    keytype = (sinf->keytype != NULL
618
0
               ? sinf->keytype
619
0
               : (sinf->sig_name != NULL
620
0
                  ? sinf->sig_name
621
0
                  : sinf->sigalg_name));
622
0
    keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, keytype, ctx->propq);
623
0
    if (keymgmt != NULL) {
624
        /*
625
         * We have successfully fetched the algorithm - however if the provider
626
         * doesn't match this one then we ignore it.
627
         *
628
         * Note: We're cheating a little here. Technically if the same algorithm
629
         * is available from more than one provider then it is undefined which
630
         * implementation you will get back. Theoretically this could be
631
         * different every time...we assume here that you'll always get the
632
         * same one back if you repeat the exact same fetch. Is this a reasonable
633
         * assumption to make (in which case perhaps we should document this
634
         * behaviour)?
635
         */
636
0
        if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) {
637
            /*
638
             * We have a match - so we could use this signature;
639
             * Check proper object registration first, though.
640
             * Don't care about return value as this may have been
641
             * done within providers or previous calls to
642
             * add_provider_sigalgs.
643
             */
644
0
            OBJ_create(sinf->sigalg_oid, sinf->sigalg_name, NULL);
645
            /* sanity check: Without successful registration don't use alg */
646
0
            if ((OBJ_txt2nid(sinf->sigalg_name) == NID_undef) ||
647
0
                (OBJ_nid2obj(OBJ_txt2nid(sinf->sigalg_name)) == NULL)) {
648
0
                    ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
649
0
                    goto err;
650
0
            }
651
0
            if (sinf->sig_name != NULL)
652
0
                OBJ_create(sinf->sig_oid, sinf->sig_name, NULL);
653
0
            if (sinf->keytype != NULL)
654
0
                OBJ_create(sinf->keytype_oid, sinf->keytype, NULL);
655
0
            if (sinf->hash_name != NULL)
656
0
                OBJ_create(sinf->hash_oid, sinf->hash_name, NULL);
657
0
            OBJ_add_sigid(OBJ_txt2nid(sinf->sigalg_name),
658
0
                          (sinf->hash_name != NULL
659
0
                           ? OBJ_txt2nid(sinf->hash_name)
660
0
                           : NID_undef),
661
0
                          OBJ_txt2nid(keytype));
662
0
            ctx->sigalg_list_len++;
663
0
            sinf = NULL;
664
0
        }
665
0
        EVP_KEYMGMT_free(keymgmt);
666
0
    }
667
0
    ERR_pop_to_mark();
668
0
 err:
669
0
    if (sinf != NULL) {
670
0
        OPENSSL_free(sinf->name);
671
0
        sinf->name = NULL;
672
0
        OPENSSL_free(sinf->sigalg_name);
673
0
        sinf->sigalg_name = NULL;
674
0
        OPENSSL_free(sinf->sigalg_oid);
675
0
        sinf->sigalg_oid = NULL;
676
0
        OPENSSL_free(sinf->sig_name);
677
0
        sinf->sig_name = NULL;
678
0
        OPENSSL_free(sinf->sig_oid);
679
0
        sinf->sig_oid = NULL;
680
0
        OPENSSL_free(sinf->hash_name);
681
0
        sinf->hash_name = NULL;
682
0
        OPENSSL_free(sinf->hash_oid);
683
0
        sinf->hash_oid = NULL;
684
0
        OPENSSL_free(sinf->keytype);
685
0
        sinf->keytype = NULL;
686
0
        OPENSSL_free(sinf->keytype_oid);
687
0
        sinf->keytype_oid = NULL;
688
0
    }
689
0
    return ret;
690
0
}
691
692
static int discover_provider_sigalgs(OSSL_PROVIDER *provider, void *vctx)
693
9.16k
{
694
9.16k
    struct provider_ctx_data_st pgd;
695
696
9.16k
    pgd.ctx = vctx;
697
9.16k
    pgd.provider = provider;
698
9.16k
    OSSL_PROVIDER_get_capabilities(provider, "TLS-SIGALG",
699
9.16k
                                   add_provider_sigalgs, &pgd);
700
    /*
701
     * Always OK, even if provider doesn't support the capability:
702
     * Reconsider testing retval when legacy sigalgs are also loaded this way.
703
     */
704
9.16k
    return 1;
705
9.16k
}
706
707
int ssl_load_sigalgs(SSL_CTX *ctx)
708
4.58k
{
709
4.58k
    size_t i;
710
4.58k
    SSL_CERT_LOOKUP lu;
711
712
4.58k
    if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_sigalgs, ctx))
713
0
        return 0;
714
715
    /* now populate ctx->ssl_cert_info */
716
4.58k
    if (ctx->sigalg_list_len > 0) {
717
0
        OPENSSL_free(ctx->ssl_cert_info);
718
0
        ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len);
719
0
        if (ctx->ssl_cert_info == NULL)
720
0
            return 0;
721
0
        for(i = 0; i < ctx->sigalg_list_len; i++) {
722
0
            ctx->ssl_cert_info[i].nid = OBJ_txt2nid(ctx->sigalg_list[i].sigalg_name);
723
0
            ctx->ssl_cert_info[i].amask = SSL_aANY;
724
0
        }
725
0
    }
726
727
    /*
728
     * For now, leave it at this: legacy sigalgs stay in their own
729
     * data structures until "legacy cleanup" occurs.
730
     */
731
732
4.58k
    return 1;
733
4.58k
}
734
735
static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name)
736
0
{
737
0
    size_t i;
738
739
0
    for (i = 0; i < ctx->group_list_len; i++) {
740
0
        if (strcmp(ctx->group_list[i].tlsname, name) == 0
741
0
                || strcmp(ctx->group_list[i].realname, name) == 0)
742
0
            return ctx->group_list[i].group_id;
743
0
    }
744
745
0
    return 0;
746
0
}
747
748
const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id)
749
13.9k
{
750
13.9k
    size_t i;
751
752
590k
    for (i = 0; i < ctx->group_list_len; i++) {
753
590k
        if (ctx->group_list[i].group_id == group_id)
754
13.9k
            return &ctx->group_list[i];
755
590k
    }
756
757
0
    return NULL;
758
13.9k
}
759
760
const char *tls1_group_id2name(SSL_CTX *ctx, uint16_t group_id)
761
0
{
762
0
    const TLS_GROUP_INFO *tls_group_info = tls1_group_id_lookup(ctx, group_id);
763
764
0
    if (tls_group_info == NULL)
765
0
        return NULL;
766
767
0
    return tls_group_info->tlsname;
768
0
}
769
770
int tls1_group_id2nid(uint16_t group_id, int include_unknown)
771
7.73k
{
772
7.73k
    size_t i;
773
774
7.73k
    if (group_id == 0)
775
0
        return NID_undef;
776
777
    /*
778
     * Return well known Group NIDs - for backwards compatibility. This won't
779
     * work for groups we don't know about.
780
     */
781
226k
    for (i = 0; i < OSSL_NELEM(nid_to_group); i++)
782
226k
    {
783
226k
        if (nid_to_group[i].group_id == group_id)
784
7.73k
            return nid_to_group[i].nid;
785
226k
    }
786
0
    if (!include_unknown)
787
0
        return NID_undef;
788
0
    return TLSEXT_nid_unknown | (int)group_id;
789
0
}
790
791
uint16_t tls1_nid2group_id(int nid)
792
2.89k
{
793
2.89k
    size_t i;
794
795
    /*
796
     * Return well known Group ids - for backwards compatibility. This won't
797
     * work for groups we don't know about.
798
     */
799
66.4k
    for (i = 0; i < OSSL_NELEM(nid_to_group); i++)
800
66.4k
    {
801
66.4k
        if (nid_to_group[i].nid == nid)
802
2.89k
            return nid_to_group[i].group_id;
803
66.4k
    }
804
805
0
    return 0;
806
2.89k
}
807
808
/*
809
 * Set *pgroups to the supported groups list and *pgroupslen to
810
 * the number of groups supported.
811
 */
812
void tls1_get_supported_groups(SSL_CONNECTION *s, const uint16_t **pgroups,
813
                               size_t *pgroupslen)
814
3.52k
{
815
3.52k
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
816
817
    /* For Suite B mode only include P-256, P-384 */
818
3.52k
    switch (tls1_suiteb(s)) {
819
0
    case SSL_CERT_FLAG_SUITEB_128_LOS:
820
0
        *pgroups = suiteb_curves;
821
0
        *pgroupslen = OSSL_NELEM(suiteb_curves);
822
0
        break;
823
824
0
    case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
825
0
        *pgroups = suiteb_curves;
826
0
        *pgroupslen = 1;
827
0
        break;
828
829
0
    case SSL_CERT_FLAG_SUITEB_192_LOS:
830
0
        *pgroups = suiteb_curves + 1;
831
0
        *pgroupslen = 1;
832
0
        break;
833
834
3.52k
    default:
835
3.52k
        if (s->ext.supportedgroups == NULL) {
836
3.52k
            *pgroups = sctx->ext.supported_groups_default;
837
3.52k
            *pgroupslen = sctx->ext.supported_groups_default_len;
838
3.52k
        } else {
839
0
            *pgroups = s->ext.supportedgroups;
840
0
            *pgroupslen = s->ext.supportedgroups_len;
841
0
        }
842
3.52k
        break;
843
3.52k
    }
844
3.52k
}
845
846
int tls_valid_group(SSL_CONNECTION *s, uint16_t group_id,
847
                    int minversion, int maxversion,
848
                    int isec, int *okfortls13)
849
0
{
850
0
    const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
851
0
                                                       group_id);
852
0
    int ret;
853
0
    int group_minversion, group_maxversion;
854
855
0
    if (okfortls13 != NULL)
856
0
        *okfortls13 = 0;
857
858
0
    if (ginfo == NULL)
859
0
        return 0;
860
861
0
    group_minversion = SSL_CONNECTION_IS_DTLS(s) ? ginfo->mindtls : ginfo->mintls;
862
0
    group_maxversion = SSL_CONNECTION_IS_DTLS(s) ? ginfo->maxdtls : ginfo->maxtls;
863
864
0
    if (group_minversion < 0 || group_maxversion < 0)
865
0
        return 0;
866
0
    if (group_maxversion == 0)
867
0
        ret = 1;
868
0
    else
869
0
        ret = (ssl_version_cmp(s, minversion, group_maxversion) <= 0);
870
0
    if (group_minversion > 0)
871
0
        ret &= (ssl_version_cmp(s, maxversion, group_minversion) >= 0);
872
873
0
    if (!SSL_CONNECTION_IS_DTLS(s)) {
874
0
        if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION)
875
0
            *okfortls13 = (group_maxversion == 0)
876
0
                          || (group_maxversion >= TLS1_3_VERSION);
877
0
    }
878
0
    ret &= !isec
879
0
           || strcmp(ginfo->algorithm, "EC") == 0
880
0
           || strcmp(ginfo->algorithm, "X25519") == 0
881
0
           || strcmp(ginfo->algorithm, "X448") == 0;
882
883
0
    return ret;
884
0
}
885
886
/* See if group is allowed by security callback */
887
int tls_group_allowed(SSL_CONNECTION *s, uint16_t group, int op)
888
7.73k
{
889
7.73k
    const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
890
7.73k
                                                       group);
891
7.73k
    unsigned char gtmp[2];
892
893
7.73k
    if (ginfo == NULL)
894
0
        return 0;
895
896
7.73k
    gtmp[0] = group >> 8;
897
7.73k
    gtmp[1] = group & 0xff;
898
7.73k
    return ssl_security(s, op, ginfo->secbits,
899
7.73k
                        tls1_group_id2nid(ginfo->group_id, 0), (void *)gtmp);
900
7.73k
}
901
902
/* Return 1 if "id" is in "list" */
903
static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen)
904
12.0k
{
905
12.0k
    size_t i;
906
86.2k
    for (i = 0; i < listlen; i++)
907
79.9k
        if (list[i] == id)
908
5.76k
            return 1;
909
6.25k
    return 0;
910
12.0k
}
911
912
/*-
913
 * For nmatch >= 0, return the id of the |nmatch|th shared group or 0
914
 * if there is no match.
915
 * For nmatch == -1, return number of matches
916
 * For nmatch == -2, return the id of the group to use for
917
 * a tmp key, or 0 if there is no match.
918
 */
919
uint16_t tls1_shared_group(SSL_CONNECTION *s, int nmatch)
920
3.52k
{
921
3.52k
    const uint16_t *pref, *supp;
922
3.52k
    size_t num_pref, num_supp, i;
923
3.52k
    int k;
924
3.52k
    SSL_CTX *ctx = SSL_CONNECTION_GET_CTX(s);
925
926
    /* Can't do anything on client side */
927
3.52k
    if (s->server == 0)
928
0
        return 0;
929
3.52k
    if (nmatch == -2) {
930
1.40k
        if (tls1_suiteb(s)) {
931
            /*
932
             * For Suite B ciphersuite determines curve: we already know
933
             * these are acceptable due to previous checks.
934
             */
935
0
            unsigned long cid = s->s3.tmp.new_cipher->id;
936
937
0
            if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
938
0
                return OSSL_TLS_GROUP_ID_secp256r1;
939
0
            if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
940
0
                return OSSL_TLS_GROUP_ID_secp384r1;
941
            /* Should never happen */
942
0
            return 0;
943
0
        }
944
        /* If not Suite B just return first preference shared curve */
945
1.40k
        nmatch = 0;
946
1.40k
    }
947
    /*
948
     * If server preference set, our groups are the preference order
949
     * otherwise peer decides.
950
     */
951
3.52k
    if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
952
0
        tls1_get_supported_groups(s, &pref, &num_pref);
953
0
        tls1_get_peer_groups(s, &supp, &num_supp);
954
3.52k
    } else {
955
3.52k
        tls1_get_peer_groups(s, &pref, &num_pref);
956
3.52k
        tls1_get_supported_groups(s, &supp, &num_supp);
957
3.52k
    }
958
959
10.6k
    for (k = 0, i = 0; i < num_pref; i++) {
960
9.93k
        uint16_t id = pref[i];
961
9.93k
        const TLS_GROUP_INFO *inf;
962
9.93k
        int minversion, maxversion;
963
964
9.93k
        if (!tls1_in_list(id, supp, num_supp)
965
9.93k
                || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED))
966
5.09k
            continue;
967
4.84k
        inf = tls1_group_id_lookup(ctx, id);
968
4.84k
        if (!ossl_assert(inf != NULL))
969
0
            return 0;
970
971
4.84k
        minversion = SSL_CONNECTION_IS_DTLS(s)
972
4.84k
                         ? inf->mindtls : inf->mintls;
973
4.84k
        maxversion = SSL_CONNECTION_IS_DTLS(s)
974
4.84k
                         ? inf->maxdtls : inf->maxtls;
975
4.84k
        if (maxversion == -1)
976
2.02k
            continue;
977
2.82k
        if ((minversion != 0 && ssl_version_cmp(s, s->version, minversion) < 0)
978
2.82k
            || (maxversion != 0
979
2.82k
                && ssl_version_cmp(s, s->version, maxversion) > 0))
980
0
            continue;
981
982
2.82k
        if (nmatch == k)
983
2.82k
            return id;
984
0
         k++;
985
0
    }
986
705
    if (nmatch == -1)
987
0
        return k;
988
    /* Out of range (nmatch > k). */
989
705
    return 0;
990
705
}
991
992
int tls1_set_groups(uint16_t **pext, size_t *pextlen,
993
                    int *groups, size_t ngroups)
994
0
{
995
0
    uint16_t *glist;
996
0
    size_t i;
997
    /*
998
     * Bitmap of groups included to detect duplicates: two variables are added
999
     * to detect duplicates as some values are more than 32.
1000
     */
1001
0
    unsigned long *dup_list = NULL;
1002
0
    unsigned long dup_list_egrp = 0;
1003
0
    unsigned long dup_list_dhgrp = 0;
1004
1005
0
    if (ngroups == 0) {
1006
0
        ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
1007
0
        return 0;
1008
0
    }
1009
0
    if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL)
1010
0
        return 0;
1011
0
    for (i = 0; i < ngroups; i++) {
1012
0
        unsigned long idmask;
1013
0
        uint16_t id;
1014
0
        id = tls1_nid2group_id(groups[i]);
1015
0
        if ((id & 0x00FF) >= (sizeof(unsigned long) * 8))
1016
0
            goto err;
1017
0
        idmask = 1L << (id & 0x00FF);
1018
0
        dup_list = (id < 0x100) ? &dup_list_egrp : &dup_list_dhgrp;
1019
0
        if (!id || ((*dup_list) & idmask))
1020
0
            goto err;
1021
0
        *dup_list |= idmask;
1022
0
        glist[i] = id;
1023
0
    }
1024
0
    OPENSSL_free(*pext);
1025
0
    *pext = glist;
1026
0
    *pextlen = ngroups;
1027
0
    return 1;
1028
0
err:
1029
0
    OPENSSL_free(glist);
1030
0
    return 0;
1031
0
}
1032
1033
0
# define GROUPLIST_INCREMENT   40
1034
# define GROUP_NAME_BUFFER_LENGTH 64
1035
typedef struct {
1036
    SSL_CTX *ctx;
1037
    size_t gidcnt;
1038
    size_t gidmax;
1039
    uint16_t *gid_arr;
1040
} gid_cb_st;
1041
1042
static int gid_cb(const char *elem, int len, void *arg)
1043
0
{
1044
0
    gid_cb_st *garg = arg;
1045
0
    size_t i;
1046
0
    uint16_t gid = 0;
1047
0
    char etmp[GROUP_NAME_BUFFER_LENGTH];
1048
0
    int ignore_unknown = 0;
1049
1050
0
    if (elem == NULL)
1051
0
        return 0;
1052
0
    if (elem[0] == '?') {
1053
0
        ignore_unknown = 1;
1054
0
        ++elem;
1055
0
        --len;
1056
0
    }
1057
0
    if (garg->gidcnt == garg->gidmax) {
1058
0
        uint16_t *tmp =
1059
0
            OPENSSL_realloc(garg->gid_arr,
1060
0
                            (garg->gidmax + GROUPLIST_INCREMENT) * sizeof(*garg->gid_arr));
1061
0
        if (tmp == NULL)
1062
0
            return 0;
1063
0
        garg->gidmax += GROUPLIST_INCREMENT;
1064
0
        garg->gid_arr = tmp;
1065
0
    }
1066
0
    if (len > (int)(sizeof(etmp) - 1))
1067
0
        return 0;
1068
0
    memcpy(etmp, elem, len);
1069
0
    etmp[len] = 0;
1070
1071
0
    gid = tls1_group_name2id(garg->ctx, etmp);
1072
0
    if (gid == 0) {
1073
        /* Unknown group - ignore, if ignore_unknown */
1074
0
        return ignore_unknown;
1075
0
    }
1076
0
    for (i = 0; i < garg->gidcnt; i++)
1077
0
        if (garg->gid_arr[i] == gid) {
1078
            /* Duplicate group - ignore */
1079
0
            return 1;
1080
0
        }
1081
0
    garg->gid_arr[garg->gidcnt++] = gid;
1082
0
    return 1;
1083
0
}
1084
1085
/* Set groups based on a colon separated list */
1086
int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen,
1087
                         const char *str)
1088
0
{
1089
0
    gid_cb_st gcb;
1090
0
    uint16_t *tmparr;
1091
0
    int ret = 0;
1092
1093
0
    gcb.gidcnt = 0;
1094
0
    gcb.gidmax = GROUPLIST_INCREMENT;
1095
0
    gcb.gid_arr = OPENSSL_malloc(gcb.gidmax * sizeof(*gcb.gid_arr));
1096
0
    if (gcb.gid_arr == NULL)
1097
0
        return 0;
1098
0
    gcb.ctx = ctx;
1099
0
    if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb))
1100
0
        goto end;
1101
0
    if (gcb.gidcnt == 0) {
1102
0
        ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
1103
0
                       "No valid groups in '%s'", str);
1104
0
        goto end;
1105
0
    }
1106
0
    if (pext == NULL) {
1107
0
        ret = 1;
1108
0
        goto end;
1109
0
    }
1110
1111
    /*
1112
     * gid_cb ensurse there are no duplicates so we can just go ahead and set
1113
     * the result
1114
     */
1115
0
    tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr));
1116
0
    if (tmparr == NULL)
1117
0
        goto end;
1118
0
    OPENSSL_free(*pext);
1119
0
    *pext = tmparr;
1120
0
    *pextlen = gcb.gidcnt;
1121
0
    ret = 1;
1122
0
 end:
1123
0
    OPENSSL_free(gcb.gid_arr);
1124
0
    return ret;
1125
0
}
1126
1127
/* Check a group id matches preferences */
1128
int tls1_check_group_id(SSL_CONNECTION *s, uint16_t group_id,
1129
                        int check_own_groups)
1130
2.89k
    {
1131
2.89k
    const uint16_t *groups;
1132
2.89k
    size_t groups_len;
1133
1134
2.89k
    if (group_id == 0)
1135
0
        return 0;
1136
1137
    /* Check for Suite B compliance */
1138
2.89k
    if (tls1_suiteb(s) && s->s3.tmp.new_cipher != NULL) {
1139
0
        unsigned long cid = s->s3.tmp.new_cipher->id;
1140
1141
0
        if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
1142
0
            if (group_id != OSSL_TLS_GROUP_ID_secp256r1)
1143
0
                return 0;
1144
0
        } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
1145
0
            if (group_id != OSSL_TLS_GROUP_ID_secp384r1)
1146
0
                return 0;
1147
0
        } else {
1148
            /* Should never happen */
1149
0
            return 0;
1150
0
        }
1151
0
    }
1152
1153
2.89k
    if (check_own_groups) {
1154
        /* Check group is one of our preferences */
1155
0
        tls1_get_supported_groups(s, &groups, &groups_len);
1156
0
        if (!tls1_in_list(group_id, groups, groups_len))
1157
0
            return 0;
1158
0
    }
1159
1160
2.89k
    if (!tls_group_allowed(s, group_id, SSL_SECOP_CURVE_CHECK))
1161
0
        return 0;
1162
1163
    /* For clients, nothing more to check */
1164
2.89k
    if (!s->server)
1165
0
        return 1;
1166
1167
    /* Check group is one of peers preferences */
1168
2.89k
    tls1_get_peer_groups(s, &groups, &groups_len);
1169
1170
    /*
1171
     * RFC 4492 does not require the supported elliptic curves extension
1172
     * so if it is not sent we can just choose any curve.
1173
     * It is invalid to send an empty list in the supported groups
1174
     * extension, so groups_len == 0 always means no extension.
1175
     */
1176
2.89k
    if (groups_len == 0)
1177
817
            return 1;
1178
2.07k
    return tls1_in_list(group_id, groups, groups_len);
1179
2.89k
}
1180
1181
void tls1_get_formatlist(SSL_CONNECTION *s, const unsigned char **pformats,
1182
                         size_t *num_formats)
1183
858
{
1184
    /*
1185
     * If we have a custom point format list use it otherwise use default
1186
     */
1187
858
    if (s->ext.ecpointformats) {
1188
0
        *pformats = s->ext.ecpointformats;
1189
0
        *num_formats = s->ext.ecpointformats_len;
1190
858
    } else {
1191
858
        *pformats = ecformats_default;
1192
        /* For Suite B we don't support char2 fields */
1193
858
        if (tls1_suiteb(s))
1194
0
            *num_formats = sizeof(ecformats_default) - 1;
1195
858
        else
1196
858
            *num_formats = sizeof(ecformats_default);
1197
858
    }
1198
858
}
1199
1200
/* Check a key is compatible with compression extension */
1201
static int tls1_check_pkey_comp(SSL_CONNECTION *s, EVP_PKEY *pkey)
1202
2.95k
{
1203
2.95k
    unsigned char comp_id;
1204
2.95k
    size_t i;
1205
2.95k
    int point_conv;
1206
1207
    /* If not an EC key nothing to check */
1208
2.95k
    if (!EVP_PKEY_is_a(pkey, "EC"))
1209
0
        return 1;
1210
1211
1212
    /* Get required compression id */
1213
2.95k
    point_conv = EVP_PKEY_get_ec_point_conv_form(pkey);
1214
2.95k
    if (point_conv == 0)
1215
0
        return 0;
1216
2.95k
    if (point_conv == POINT_CONVERSION_UNCOMPRESSED) {
1217
2.95k
            comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
1218
2.95k
    } else if (SSL_CONNECTION_IS_TLS13(s)) {
1219
        /*
1220
         * ec_point_formats extension is not used in TLSv1.3 so we ignore
1221
         * this check.
1222
         */
1223
0
        return 1;
1224
0
    } else {
1225
0
        int field_type = EVP_PKEY_get_field_type(pkey);
1226
1227
0
        if (field_type == NID_X9_62_prime_field)
1228
0
            comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1229
0
        else if (field_type == NID_X9_62_characteristic_two_field)
1230
0
            comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1231
0
        else
1232
0
            return 0;
1233
0
    }
1234
    /*
1235
     * If point formats extension present check it, otherwise everything is
1236
     * supported (see RFC4492).
1237
     */
1238
2.95k
    if (s->ext.peer_ecpointformats == NULL)
1239
2.06k
        return 1;
1240
1241
1.04k
    for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
1242
977
        if (s->ext.peer_ecpointformats[i] == comp_id)
1243
830
            return 1;
1244
977
    }
1245
68
    return 0;
1246
898
}
1247
1248
/* Return group id of a key */
1249
static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
1250
2.89k
{
1251
2.89k
    int curve_nid = ssl_get_EC_curve_nid(pkey);
1252
1253
2.89k
    if (curve_nid == NID_undef)
1254
0
        return 0;
1255
2.89k
    return tls1_nid2group_id(curve_nid);
1256
2.89k
}
1257
1258
/*
1259
 * Check cert parameters compatible with extensions: currently just checks EC
1260
 * certificates have compatible curves and compression.
1261
 */
1262
static int tls1_check_cert_param(SSL_CONNECTION *s, X509 *x, int check_ee_md)
1263
8.87k
{
1264
8.87k
    uint16_t group_id;
1265
8.87k
    EVP_PKEY *pkey;
1266
8.87k
    pkey = X509_get0_pubkey(x);
1267
8.87k
    if (pkey == NULL)
1268
0
        return 0;
1269
    /* If not EC nothing to do */
1270
8.87k
    if (!EVP_PKEY_is_a(pkey, "EC"))
1271
5.91k
        return 1;
1272
    /* Check compression */
1273
2.95k
    if (!tls1_check_pkey_comp(s, pkey))
1274
68
        return 0;
1275
2.89k
    group_id = tls1_get_group_id(pkey);
1276
    /*
1277
     * For a server we allow the certificate to not be in our list of supported
1278
     * groups.
1279
     */
1280
2.89k
    if (!tls1_check_group_id(s, group_id, !s->server))
1281
1.15k
        return 0;
1282
    /*
1283
     * Special case for suite B. We *MUST* sign using SHA256+P-256 or
1284
     * SHA384+P-384.
1285
     */
1286
1.73k
    if (check_ee_md && tls1_suiteb(s)) {
1287
0
        int check_md;
1288
0
        size_t i;
1289
1290
        /* Check to see we have necessary signing algorithm */
1291
0
        if (group_id == OSSL_TLS_GROUP_ID_secp256r1)
1292
0
            check_md = NID_ecdsa_with_SHA256;
1293
0
        else if (group_id == OSSL_TLS_GROUP_ID_secp384r1)
1294
0
            check_md = NID_ecdsa_with_SHA384;
1295
0
        else
1296
0
            return 0;           /* Should never happen */
1297
0
        for (i = 0; i < s->shared_sigalgslen; i++) {
1298
0
            if (check_md == s->shared_sigalgs[i]->sigandhash)
1299
0
                return 1;
1300
0
        }
1301
0
        return 0;
1302
0
    }
1303
1.73k
    return 1;
1304
1.73k
}
1305
1306
/*
1307
 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
1308
 * @s: SSL connection
1309
 * @cid: Cipher ID we're considering using
1310
 *
1311
 * Checks that the kECDHE cipher suite we're considering using
1312
 * is compatible with the client extensions.
1313
 *
1314
 * Returns 0 when the cipher can't be used or 1 when it can.
1315
 */
1316
int tls1_check_ec_tmp_key(SSL_CONNECTION *s, unsigned long cid)
1317
2.12k
{
1318
    /* If not Suite B just need a shared group */
1319
2.12k
    if (!tls1_suiteb(s))
1320
2.12k
        return tls1_shared_group(s, 0) != 0;
1321
    /*
1322
     * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
1323
     * curves permitted.
1324
     */
1325
0
    if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
1326
0
        return tls1_check_group_id(s, OSSL_TLS_GROUP_ID_secp256r1, 1);
1327
0
    if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
1328
0
        return tls1_check_group_id(s, OSSL_TLS_GROUP_ID_secp384r1, 1);
1329
1330
0
    return 0;
1331
0
}
1332
1333
/* Default sigalg schemes */
1334
static const uint16_t tls12_sigalgs[] = {
1335
    TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
1336
    TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
1337
    TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
1338
    TLSEXT_SIGALG_ed25519,
1339
    TLSEXT_SIGALG_ed448,
1340
    TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256,
1341
    TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384,
1342
    TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512,
1343
1344
    TLSEXT_SIGALG_rsa_pss_pss_sha256,
1345
    TLSEXT_SIGALG_rsa_pss_pss_sha384,
1346
    TLSEXT_SIGALG_rsa_pss_pss_sha512,
1347
    TLSEXT_SIGALG_rsa_pss_rsae_sha256,
1348
    TLSEXT_SIGALG_rsa_pss_rsae_sha384,
1349
    TLSEXT_SIGALG_rsa_pss_rsae_sha512,
1350
1351
    TLSEXT_SIGALG_rsa_pkcs1_sha256,
1352
    TLSEXT_SIGALG_rsa_pkcs1_sha384,
1353
    TLSEXT_SIGALG_rsa_pkcs1_sha512,
1354
1355
    TLSEXT_SIGALG_ecdsa_sha224,
1356
    TLSEXT_SIGALG_ecdsa_sha1,
1357
1358
    TLSEXT_SIGALG_rsa_pkcs1_sha224,
1359
    TLSEXT_SIGALG_rsa_pkcs1_sha1,
1360
1361
    TLSEXT_SIGALG_dsa_sha224,
1362
    TLSEXT_SIGALG_dsa_sha1,
1363
1364
    TLSEXT_SIGALG_dsa_sha256,
1365
    TLSEXT_SIGALG_dsa_sha384,
1366
    TLSEXT_SIGALG_dsa_sha512,
1367
1368
#ifndef OPENSSL_NO_GOST
1369
    TLSEXT_SIGALG_gostr34102012_256_intrinsic,
1370
    TLSEXT_SIGALG_gostr34102012_512_intrinsic,
1371
    TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
1372
    TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
1373
    TLSEXT_SIGALG_gostr34102001_gostr3411,
1374
#endif
1375
};
1376
1377
1378
static const uint16_t suiteb_sigalgs[] = {
1379
    TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
1380
    TLSEXT_SIGALG_ecdsa_secp384r1_sha384
1381
};
1382
1383
static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
1384
    {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
1385
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
1386
     NID_ecdsa_with_SHA256, NID_X9_62_prime256v1, 1},
1387
    {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
1388
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
1389
     NID_ecdsa_with_SHA384, NID_secp384r1, 1},
1390
    {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
1391
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
1392
     NID_ecdsa_with_SHA512, NID_secp521r1, 1},
1393
    {"ed25519", TLSEXT_SIGALG_ed25519,
1394
     NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519,
1395
     NID_undef, NID_undef, 1},
1396
    {"ed448", TLSEXT_SIGALG_ed448,
1397
     NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448,
1398
     NID_undef, NID_undef, 1},
1399
    {NULL, TLSEXT_SIGALG_ecdsa_sha224,
1400
     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
1401
     NID_ecdsa_with_SHA224, NID_undef, 1},
1402
    {NULL, TLSEXT_SIGALG_ecdsa_sha1,
1403
     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
1404
     NID_ecdsa_with_SHA1, NID_undef, 1},
1405
    {"ecdsa_brainpoolP256r1_sha256", TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256,
1406
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
1407
     NID_ecdsa_with_SHA256, NID_brainpoolP256r1, 1},
1408
    {"ecdsa_brainpoolP384r1_sha384", TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384,
1409
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
1410
     NID_ecdsa_with_SHA384, NID_brainpoolP384r1, 1},
1411
    {"ecdsa_brainpoolP512r1_sha512", TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512,
1412
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
1413
     NID_ecdsa_with_SHA512, NID_brainpoolP512r1, 1},
1414
    {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256,
1415
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
1416
     NID_undef, NID_undef, 1},
1417
    {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384,
1418
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
1419
     NID_undef, NID_undef, 1},
1420
    {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512,
1421
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
1422
     NID_undef, NID_undef, 1},
1423
    {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256,
1424
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
1425
     NID_undef, NID_undef, 1},
1426
    {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384,
1427
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
1428
     NID_undef, NID_undef, 1},
1429
    {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512,
1430
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
1431
     NID_undef, NID_undef, 1},
1432
    {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
1433
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
1434
     NID_sha256WithRSAEncryption, NID_undef, 1},
1435
    {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
1436
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
1437
     NID_sha384WithRSAEncryption, NID_undef, 1},
1438
    {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
1439
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
1440
     NID_sha512WithRSAEncryption, NID_undef, 1},
1441
    {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,
1442
     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
1443
     NID_sha224WithRSAEncryption, NID_undef, 1},
1444
    {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
1445
     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
1446
     NID_sha1WithRSAEncryption, NID_undef, 1},
1447
    {NULL, TLSEXT_SIGALG_dsa_sha256,
1448
     NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
1449
     NID_dsa_with_SHA256, NID_undef, 1},
1450
    {NULL, TLSEXT_SIGALG_dsa_sha384,
1451
     NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
1452
     NID_undef, NID_undef, 1},
1453
    {NULL, TLSEXT_SIGALG_dsa_sha512,
1454
     NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
1455
     NID_undef, NID_undef, 1},
1456
    {NULL, TLSEXT_SIGALG_dsa_sha224,
1457
     NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
1458
     NID_undef, NID_undef, 1},
1459
    {NULL, TLSEXT_SIGALG_dsa_sha1,
1460
     NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
1461
     NID_dsaWithSHA1, NID_undef, 1},
1462
#ifndef OPENSSL_NO_GOST
1463
    {NULL, TLSEXT_SIGALG_gostr34102012_256_intrinsic,
1464
     NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
1465
     NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
1466
     NID_undef, NID_undef, 1},
1467
    {NULL, TLSEXT_SIGALG_gostr34102012_512_intrinsic,
1468
     NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
1469
     NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
1470
     NID_undef, NID_undef, 1},
1471
    {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
1472
     NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
1473
     NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
1474
     NID_undef, NID_undef, 1},
1475
    {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
1476
     NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
1477
     NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
1478
     NID_undef, NID_undef, 1},
1479
    {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
1480
     NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
1481
     NID_id_GostR3410_2001, SSL_PKEY_GOST01,
1482
     NID_undef, NID_undef, 1}
1483
#endif
1484
};
1485
/* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */
1486
static const SIGALG_LOOKUP legacy_rsa_sigalg = {
1487
    "rsa_pkcs1_md5_sha1", 0,
1488
     NID_md5_sha1, SSL_MD_MD5_SHA1_IDX,
1489
     EVP_PKEY_RSA, SSL_PKEY_RSA,
1490
     NID_undef, NID_undef, 1
1491
};
1492
1493
/*
1494
 * Default signature algorithm values used if signature algorithms not present.
1495
 * From RFC5246. Note: order must match certificate index order.
1496
 */
1497
static const uint16_t tls_default_sigalg[] = {
1498
    TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
1499
    0, /* SSL_PKEY_RSA_PSS_SIGN */
1500
    TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
1501
    TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
1502
    TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
1503
    TLSEXT_SIGALG_gostr34102012_256_intrinsic, /* SSL_PKEY_GOST12_256 */
1504
    TLSEXT_SIGALG_gostr34102012_512_intrinsic, /* SSL_PKEY_GOST12_512 */
1505
    0, /* SSL_PKEY_ED25519 */
1506
    0, /* SSL_PKEY_ED448 */
1507
};
1508
1509
int ssl_setup_sigalgs(SSL_CTX *ctx)
1510
4.58k
{
1511
4.58k
    size_t i, cache_idx, sigalgs_len;
1512
4.58k
    const SIGALG_LOOKUP *lu;
1513
4.58k
    SIGALG_LOOKUP *cache = NULL;
1514
4.58k
    uint16_t *tls12_sigalgs_list = NULL;
1515
4.58k
    EVP_PKEY *tmpkey = EVP_PKEY_new();
1516
4.58k
    int ret = 0;
1517
1518
4.58k
    if (ctx == NULL)
1519
0
        goto err;
1520
1521
4.58k
    sigalgs_len = OSSL_NELEM(sigalg_lookup_tbl) + ctx->sigalg_list_len;
1522
1523
4.58k
    cache = OPENSSL_malloc(sizeof(const SIGALG_LOOKUP) * sigalgs_len);
1524
4.58k
    if (cache == NULL || tmpkey == NULL)
1525
0
        goto err;
1526
1527
4.58k
    tls12_sigalgs_list = OPENSSL_malloc(sizeof(uint16_t) * sigalgs_len);
1528
4.58k
    if (tls12_sigalgs_list == NULL)
1529
0
        goto err;
1530
1531
4.58k
    ERR_set_mark();
1532
    /* First fill cache and tls12_sigalgs list from legacy algorithm list */
1533
4.58k
    for (i = 0, lu = sigalg_lookup_tbl;
1534
146k
         i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
1535
142k
        EVP_PKEY_CTX *pctx;
1536
1537
142k
        cache[i] = *lu;
1538
142k
        tls12_sigalgs_list[i] = tls12_sigalgs[i];
1539
1540
        /*
1541
         * Check hash is available.
1542
         * This test is not perfect. A provider could have support
1543
         * for a signature scheme, but not a particular hash. However the hash
1544
         * could be available from some other loaded provider. In that case it
1545
         * could be that the signature is available, and the hash is available
1546
         * independently - but not as a combination. We ignore this for now.
1547
         */
1548
142k
        if (lu->hash != NID_undef
1549
142k
                && ctx->ssl_digest_methods[lu->hash_idx] == NULL) {
1550
22.9k
            cache[i].enabled = 0;
1551
22.9k
            continue;
1552
22.9k
        }
1553
1554
119k
        if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
1555
0
            cache[i].enabled = 0;
1556
0
            continue;
1557
0
        }
1558
119k
        pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, tmpkey, ctx->propq);
1559
        /* If unable to create pctx we assume the sig algorithm is unavailable */
1560
119k
        if (pctx == NULL)
1561
0
            cache[i].enabled = 0;
1562
119k
        EVP_PKEY_CTX_free(pctx);
1563
119k
    }
1564
1565
    /* Now complete cache and tls12_sigalgs list with provider sig information */
1566
4.58k
    cache_idx = OSSL_NELEM(sigalg_lookup_tbl);
1567
4.58k
    for (i = 0; i < ctx->sigalg_list_len; i++) {
1568
0
        TLS_SIGALG_INFO si = ctx->sigalg_list[i];
1569
0
        cache[cache_idx].name = si.name;
1570
0
        cache[cache_idx].sigalg = si.code_point;
1571
0
        tls12_sigalgs_list[cache_idx] = si.code_point;
1572
0
        cache[cache_idx].hash = si.hash_name?OBJ_txt2nid(si.hash_name):NID_undef;
1573
0
        cache[cache_idx].hash_idx = ssl_get_md_idx(cache[cache_idx].hash);
1574
0
        cache[cache_idx].sig = OBJ_txt2nid(si.sigalg_name);
1575
0
        cache[cache_idx].sig_idx = i + SSL_PKEY_NUM;
1576
0
        cache[cache_idx].sigandhash = OBJ_txt2nid(si.sigalg_name);
1577
0
        cache[cache_idx].curve = NID_undef;
1578
        /* all provided sigalgs are enabled by load */
1579
0
        cache[cache_idx].enabled = 1;
1580
0
        cache_idx++;
1581
0
    }
1582
4.58k
    ERR_pop_to_mark();
1583
4.58k
    ctx->sigalg_lookup_cache = cache;
1584
4.58k
    ctx->tls12_sigalgs = tls12_sigalgs_list;
1585
4.58k
    ctx->tls12_sigalgs_len = sigalgs_len;
1586
4.58k
    cache = NULL;
1587
4.58k
    tls12_sigalgs_list = NULL;
1588
1589
4.58k
    ret = 1;
1590
4.58k
 err:
1591
4.58k
    OPENSSL_free(cache);
1592
4.58k
    OPENSSL_free(tls12_sigalgs_list);
1593
4.58k
    EVP_PKEY_free(tmpkey);
1594
4.58k
    return ret;
1595
4.58k
}
1596
1597
/* Lookup TLS signature algorithm */
1598
static const SIGALG_LOOKUP *tls1_lookup_sigalg(const SSL_CONNECTION *s,
1599
                                               uint16_t sigalg)
1600
45.4k
{
1601
45.4k
    size_t i;
1602
45.4k
    const SIGALG_LOOKUP *lu;
1603
1604
45.4k
    for (i = 0, lu = SSL_CONNECTION_GET_CTX(s)->sigalg_lookup_cache;
1605
1.00M
         i < SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs_len;
1606
988k
         lu++, i++) {
1607
988k
        if (lu->sigalg == sigalg) {
1608
32.3k
            if (!lu->enabled)
1609
6.86k
                return NULL;
1610
25.4k
            return lu;
1611
32.3k
        }
1612
988k
    }
1613
13.0k
    return NULL;
1614
45.4k
}
1615
/* Lookup hash: return 0 if invalid or not enabled */
1616
int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
1617
35.7k
{
1618
35.7k
    const EVP_MD *md;
1619
1620
35.7k
    if (lu == NULL)
1621
0
        return 0;
1622
    /* lu->hash == NID_undef means no associated digest */
1623
35.7k
    if (lu->hash == NID_undef) {
1624
244
        md = NULL;
1625
35.4k
    } else {
1626
35.4k
        md = ssl_md(ctx, lu->hash_idx);
1627
35.4k
        if (md == NULL)
1628
0
            return 0;
1629
35.4k
    }
1630
35.7k
    if (pmd)
1631
28.2k
        *pmd = md;
1632
35.7k
    return 1;
1633
35.7k
}
1634
1635
/*
1636
 * Check if key is large enough to generate RSA-PSS signature.
1637
 *
1638
 * The key must greater than or equal to 2 * hash length + 2.
1639
 * SHA512 has a hash length of 64 bytes, which is incompatible
1640
 * with a 128 byte (1024 bit) key.
1641
 */
1642
438
#define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2)
1643
static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey,
1644
                                      const SIGALG_LOOKUP *lu)
1645
438
{
1646
438
    const EVP_MD *md;
1647
1648
438
    if (pkey == NULL)
1649
0
        return 0;
1650
438
    if (!tls1_lookup_md(ctx, lu, &md) || md == NULL)
1651
0
        return 0;
1652
438
    if (EVP_MD_get_size(md) <= 0)
1653
0
        return 0;
1654
438
    if (EVP_PKEY_get_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md))
1655
0
        return 0;
1656
438
    return 1;
1657
438
}
1658
1659
/*
1660
 * Returns a signature algorithm when the peer did not send a list of supported
1661
 * signature algorithms. The signature algorithm is fixed for the certificate
1662
 * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the
1663
 * certificate type from |s| will be used.
1664
 * Returns the signature algorithm to use, or NULL on error.
1665
 */
1666
static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL_CONNECTION *s,
1667
                                                   int idx)
1668
21.8k
{
1669
21.8k
    if (idx == -1) {
1670
2.01k
        if (s->server) {
1671
2.01k
            size_t i;
1672
1673
            /* Work out index corresponding to ciphersuite */
1674
3.00k
            for (i = 0; i < s->ssl_pkey_num; i++) {
1675
3.00k
                const SSL_CERT_LOOKUP *clu
1676
3.00k
                    = ssl_cert_lookup_by_idx(i, SSL_CONNECTION_GET_CTX(s));
1677
1678
3.00k
                if (clu == NULL)
1679
0
                    continue;
1680
3.00k
                if (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) {
1681
2.01k
                    idx = i;
1682
2.01k
                    break;
1683
2.01k
                }
1684
3.00k
            }
1685
1686
            /*
1687
             * Some GOST ciphersuites allow more than one signature algorithms
1688
             * */
1689
2.01k
            if (idx == SSL_PKEY_GOST01 && s->s3.tmp.new_cipher->algorithm_auth != SSL_aGOST01) {
1690
0
                int real_idx;
1691
1692
0
                for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01;
1693
0
                     real_idx--) {
1694
0
                    if (s->cert->pkeys[real_idx].privatekey != NULL) {
1695
0
                        idx = real_idx;
1696
0
                        break;
1697
0
                    }
1698
0
                }
1699
0
            }
1700
            /*
1701
             * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used
1702
             * with new (aGOST12-only) ciphersuites, we should find out which one is available really.
1703
             */
1704
2.01k
            else if (idx == SSL_PKEY_GOST12_256) {
1705
0
                int real_idx;
1706
1707
0
                for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256;
1708
0
                     real_idx--) {
1709
0
                     if (s->cert->pkeys[real_idx].privatekey != NULL) {
1710
0
                         idx = real_idx;
1711
0
                         break;
1712
0
                     }
1713
0
                }
1714
0
            }
1715
2.01k
        } else {
1716
0
            idx = s->cert->key - s->cert->pkeys;
1717
0
        }
1718
2.01k
    }
1719
21.8k
    if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
1720
0
        return NULL;
1721
1722
21.8k
    if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
1723
20.6k
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, tls_default_sigalg[idx]);
1724
1725
20.6k
        if (lu == NULL)
1726
13.1k
            return NULL;
1727
7.50k
        if (!tls1_lookup_md(SSL_CONNECTION_GET_CTX(s), lu, NULL))
1728
0
            return NULL;
1729
7.50k
        if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
1730
0
            return NULL;
1731
7.50k
        return lu;
1732
7.50k
    }
1733
1.11k
    if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg))
1734
0
        return NULL;
1735
1.11k
    return &legacy_rsa_sigalg;
1736
1.11k
}
1737
/* Set peer sigalg based key type */
1738
int tls1_set_peer_legacy_sigalg(SSL_CONNECTION *s, const EVP_PKEY *pkey)
1739
0
{
1740
0
    size_t idx;
1741
0
    const SIGALG_LOOKUP *lu;
1742
1743
0
    if (ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s)) == NULL)
1744
0
        return 0;
1745
0
    lu = tls1_get_legacy_sigalg(s, idx);
1746
0
    if (lu == NULL)
1747
0
        return 0;
1748
0
    s->s3.tmp.peer_sigalg = lu;
1749
0
    return 1;
1750
0
}
1751
1752
size_t tls12_get_psigalgs(SSL_CONNECTION *s, int sent, const uint16_t **psigs)
1753
4.35k
{
1754
    /*
1755
     * If Suite B mode use Suite B sigalgs only, ignore any other
1756
     * preferences.
1757
     */
1758
4.35k
    switch (tls1_suiteb(s)) {
1759
0
    case SSL_CERT_FLAG_SUITEB_128_LOS:
1760
0
        *psigs = suiteb_sigalgs;
1761
0
        return OSSL_NELEM(suiteb_sigalgs);
1762
1763
0
    case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
1764
0
        *psigs = suiteb_sigalgs;
1765
0
        return 1;
1766
1767
0
    case SSL_CERT_FLAG_SUITEB_192_LOS:
1768
0
        *psigs = suiteb_sigalgs + 1;
1769
0
        return 1;
1770
4.35k
    }
1771
    /*
1772
     *  We use client_sigalgs (if not NULL) if we're a server
1773
     *  and sending a certificate request or if we're a client and
1774
     *  determining which shared algorithm to use.
1775
     */
1776
4.35k
    if ((s->server == sent) && s->cert->client_sigalgs != NULL) {
1777
0
        *psigs = s->cert->client_sigalgs;
1778
0
        return s->cert->client_sigalgslen;
1779
4.35k
    } else if (s->cert->conf_sigalgs) {
1780
0
        *psigs = s->cert->conf_sigalgs;
1781
0
        return s->cert->conf_sigalgslen;
1782
4.35k
    } else {
1783
4.35k
        *psigs = SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs;
1784
4.35k
        return SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs_len;
1785
4.35k
    }
1786
4.35k
}
1787
1788
/*
1789
 * Called by servers only. Checks that we have a sig alg that supports the
1790
 * specified EC curve.
1791
 */
1792
int tls_check_sigalg_curve(const SSL_CONNECTION *s, int curve)
1793
0
{
1794
0
   const uint16_t *sigs;
1795
0
   size_t siglen, i;
1796
1797
0
    if (s->cert->conf_sigalgs) {
1798
0
        sigs = s->cert->conf_sigalgs;
1799
0
        siglen = s->cert->conf_sigalgslen;
1800
0
    } else {
1801
0
        sigs = SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs;
1802
0
        siglen = SSL_CONNECTION_GET_CTX(s)->tls12_sigalgs_len;
1803
0
    }
1804
1805
0
    for (i = 0; i < siglen; i++) {
1806
0
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, sigs[i]);
1807
1808
0
        if (lu == NULL)
1809
0
            continue;
1810
0
        if (lu->sig == EVP_PKEY_EC
1811
0
                && lu->curve != NID_undef
1812
0
                && curve == lu->curve)
1813
0
            return 1;
1814
0
    }
1815
1816
0
    return 0;
1817
0
}
1818
1819
/*
1820
 * Return the number of security bits for the signature algorithm, or 0 on
1821
 * error.
1822
 */
1823
static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu)
1824
26.4k
{
1825
26.4k
    const EVP_MD *md = NULL;
1826
26.4k
    int secbits = 0;
1827
1828
26.4k
    if (!tls1_lookup_md(ctx, lu, &md))
1829
0
        return 0;
1830
26.4k
    if (md != NULL)
1831
26.1k
    {
1832
26.1k
        int md_type = EVP_MD_get_type(md);
1833
1834
        /* Security bits: half digest bits */
1835
26.1k
        secbits = EVP_MD_get_size(md) * 4;
1836
26.1k
        if (secbits <= 0)
1837
0
            return 0;
1838
        /*
1839
         * SHA1 and MD5 are known to be broken. Reduce security bits so that
1840
         * they're no longer accepted at security level 1. The real values don't
1841
         * really matter as long as they're lower than 80, which is our
1842
         * security level 1.
1843
         * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for
1844
         * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2
1845
         * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
1846
         * puts a chosen-prefix attack for MD5 at 2^39.
1847
         */
1848
26.1k
        if (md_type == NID_sha1)
1849
10.4k
            secbits = 64;
1850
15.7k
        else if (md_type == NID_md5_sha1)
1851
1.11k
            secbits = 67;
1852
14.6k
        else if (md_type == NID_md5)
1853
0
            secbits = 39;
1854
26.1k
    } else {
1855
        /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */
1856
244
        if (lu->sigalg == TLSEXT_SIGALG_ed25519)
1857
72
            secbits = 128;
1858
172
        else if (lu->sigalg == TLSEXT_SIGALG_ed448)
1859
172
            secbits = 224;
1860
244
    }
1861
    /*
1862
     * For provider-based sigalgs we have secbits information available
1863
     * in the (provider-loaded) sigalg_list structure
1864
     */
1865
26.4k
    if ((secbits == 0) && (lu->sig_idx >= SSL_PKEY_NUM)
1866
26.4k
               && ((lu->sig_idx - SSL_PKEY_NUM) < (int)ctx->sigalg_list_len)) {
1867
0
        secbits = ctx->sigalg_list[lu->sig_idx - SSL_PKEY_NUM].secbits;
1868
0
    }
1869
26.4k
    return secbits;
1870
26.4k
}
1871
1872
/*
1873
 * Check signature algorithm is consistent with sent supported signature
1874
 * algorithms and if so set relevant digest and signature scheme in
1875
 * s.
1876
 */
1877
int tls12_check_peer_sigalg(SSL_CONNECTION *s, uint16_t sig, EVP_PKEY *pkey)
1878
0
{
1879
0
    const uint16_t *sent_sigs;
1880
0
    const EVP_MD *md = NULL;
1881
0
    char sigalgstr[2];
1882
0
    size_t sent_sigslen, i, cidx;
1883
0
    int pkeyid = -1;
1884
0
    const SIGALG_LOOKUP *lu;
1885
0
    int secbits = 0;
1886
1887
0
    pkeyid = EVP_PKEY_get_id(pkey);
1888
1889
0
    if (SSL_CONNECTION_IS_TLS13(s)) {
1890
        /* Disallow DSA for TLS 1.3 */
1891
0
        if (pkeyid == EVP_PKEY_DSA) {
1892
0
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE);
1893
0
            return 0;
1894
0
        }
1895
        /* Only allow PSS for TLS 1.3 */
1896
0
        if (pkeyid == EVP_PKEY_RSA)
1897
0
            pkeyid = EVP_PKEY_RSA_PSS;
1898
0
    }
1899
0
    lu = tls1_lookup_sigalg(s, sig);
1900
    /* if this sigalg is loaded, set so far unknown pkeyid to its sig NID */
1901
0
    if ((pkeyid == EVP_PKEY_KEYMGMT) && (lu != NULL))
1902
0
        pkeyid = lu->sig;
1903
1904
    /* Should never happen */
1905
0
    if (pkeyid == -1)
1906
0
        return -1;
1907
1908
    /*
1909
     * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type
1910
     * is consistent with signature: RSA keys can be used for RSA-PSS
1911
     */
1912
0
    if (lu == NULL
1913
0
        || (SSL_CONNECTION_IS_TLS13(s)
1914
0
            && (lu->hash == NID_sha1 || lu->hash == NID_sha224))
1915
0
        || (pkeyid != lu->sig
1916
0
        && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
1917
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE);
1918
0
        return 0;
1919
0
    }
1920
    /* Check the sigalg is consistent with the key OID */
1921
0
    if (!ssl_cert_lookup_by_nid(
1922
0
                 (pkeyid == EVP_PKEY_RSA_PSS) ? EVP_PKEY_get_id(pkey) : pkeyid,
1923
0
                 &cidx, SSL_CONNECTION_GET_CTX(s))
1924
0
            || lu->sig_idx != (int)cidx) {
1925
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE);
1926
0
        return 0;
1927
0
    }
1928
1929
0
    if (pkeyid == EVP_PKEY_EC) {
1930
1931
        /* Check point compression is permitted */
1932
0
        if (!tls1_check_pkey_comp(s, pkey)) {
1933
0
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1934
0
                     SSL_R_ILLEGAL_POINT_COMPRESSION);
1935
0
            return 0;
1936
0
        }
1937
1938
        /* For TLS 1.3 or Suite B check curve matches signature algorithm */
1939
0
        if (SSL_CONNECTION_IS_TLS13(s) || tls1_suiteb(s)) {
1940
0
            int curve = ssl_get_EC_curve_nid(pkey);
1941
1942
0
            if (lu->curve != NID_undef && curve != lu->curve) {
1943
0
                SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE);
1944
0
                return 0;
1945
0
            }
1946
0
        }
1947
0
        if (!SSL_CONNECTION_IS_TLS13(s)) {
1948
            /* Check curve matches extensions */
1949
0
            if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) {
1950
0
                SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE);
1951
0
                return 0;
1952
0
            }
1953
0
            if (tls1_suiteb(s)) {
1954
                /* Check sigalg matches a permissible Suite B value */
1955
0
                if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256
1956
0
                    && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) {
1957
0
                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1958
0
                             SSL_R_WRONG_SIGNATURE_TYPE);
1959
0
                    return 0;
1960
0
                }
1961
0
            }
1962
0
        }
1963
0
    } else if (tls1_suiteb(s)) {
1964
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
1965
0
        return 0;
1966
0
    }
1967
1968
    /* Check signature matches a type we sent */
1969
0
    sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
1970
0
    for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
1971
0
        if (sig == *sent_sigs)
1972
0
            break;
1973
0
    }
1974
    /* Allow fallback to SHA1 if not strict mode */
1975
0
    if (i == sent_sigslen && (lu->hash != NID_sha1
1976
0
        || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1977
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
1978
0
        return 0;
1979
0
    }
1980
0
    if (!tls1_lookup_md(SSL_CONNECTION_GET_CTX(s), lu, &md)) {
1981
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
1982
0
        return 0;
1983
0
    }
1984
    /*
1985
     * Make sure security callback allows algorithm. For historical
1986
     * reasons we have to pass the sigalg as a two byte char array.
1987
     */
1988
0
    sigalgstr[0] = (sig >> 8) & 0xff;
1989
0
    sigalgstr[1] = sig & 0xff;
1990
0
    secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
1991
0
    if (secbits == 0 ||
1992
0
        !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
1993
0
                      md != NULL ? EVP_MD_get_type(md) : NID_undef,
1994
0
                      (void *)sigalgstr)) {
1995
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
1996
0
        return 0;
1997
0
    }
1998
    /* Store the sigalg the peer uses */
1999
0
    s->s3.tmp.peer_sigalg = lu;
2000
0
    return 1;
2001
0
}
2002
2003
int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
2004
0
{
2005
0
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
2006
2007
0
    if (sc == NULL)
2008
0
        return 0;
2009
2010
0
    if (sc->s3.tmp.peer_sigalg == NULL)
2011
0
        return 0;
2012
0
    *pnid = sc->s3.tmp.peer_sigalg->sig;
2013
0
    return 1;
2014
0
}
2015
2016
int SSL_get_signature_type_nid(const SSL *s, int *pnid)
2017
0
{
2018
0
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
2019
2020
0
    if (sc == NULL)
2021
0
        return 0;
2022
2023
0
    if (sc->s3.tmp.sigalg == NULL)
2024
0
        return 0;
2025
0
    *pnid = sc->s3.tmp.sigalg->sig;
2026
0
    return 1;
2027
0
}
2028
2029
/*
2030
 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
2031
 * supported, doesn't appear in supported signature algorithms, isn't supported
2032
 * by the enabled protocol versions or by the security level.
2033
 *
2034
 * This function should only be used for checking which ciphers are supported
2035
 * by the client.
2036
 *
2037
 * Call ssl_cipher_disabled() to check that it's enabled or not.
2038
 */
2039
int ssl_set_client_disabled(SSL_CONNECTION *s)
2040
0
{
2041
0
    s->s3.tmp.mask_a = 0;
2042
0
    s->s3.tmp.mask_k = 0;
2043
0
    ssl_set_sig_mask(&s->s3.tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
2044
0
    if (ssl_get_min_max_version(s, &s->s3.tmp.min_ver,
2045
0
                                &s->s3.tmp.max_ver, NULL) != 0)
2046
0
        return 0;
2047
0
#ifndef OPENSSL_NO_PSK
2048
    /* with PSK there must be client callback set */
2049
0
    if (!s->psk_client_callback) {
2050
0
        s->s3.tmp.mask_a |= SSL_aPSK;
2051
0
        s->s3.tmp.mask_k |= SSL_PSK;
2052
0
    }
2053
0
#endif                          /* OPENSSL_NO_PSK */
2054
0
#ifndef OPENSSL_NO_SRP
2055
0
    if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
2056
0
        s->s3.tmp.mask_a |= SSL_aSRP;
2057
0
        s->s3.tmp.mask_k |= SSL_kSRP;
2058
0
    }
2059
0
#endif
2060
0
    return 1;
2061
0
}
2062
2063
/*
2064
 * ssl_cipher_disabled - check that a cipher is disabled or not
2065
 * @s: SSL connection that you want to use the cipher on
2066
 * @c: cipher to check
2067
 * @op: Security check that you want to do
2068
 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
2069
 *
2070
 * Returns 1 when it's disabled, 0 when enabled.
2071
 */
2072
int ssl_cipher_disabled(const SSL_CONNECTION *s, const SSL_CIPHER *c,
2073
                        int op, int ecdhe)
2074
0
{
2075
0
    int minversion = SSL_CONNECTION_IS_DTLS(s) ? c->min_dtls : c->min_tls;
2076
0
    int maxversion = SSL_CONNECTION_IS_DTLS(s) ? c->max_dtls : c->max_tls;
2077
2078
0
    if (c->algorithm_mkey & s->s3.tmp.mask_k
2079
0
        || c->algorithm_auth & s->s3.tmp.mask_a)
2080
0
        return 1;
2081
0
    if (s->s3.tmp.max_ver == 0)
2082
0
        return 1;
2083
2084
0
    if (SSL_IS_QUIC_HANDSHAKE(s))
2085
        /* For QUIC, only allow these ciphersuites. */
2086
0
        switch (SSL_CIPHER_get_id(c)) {
2087
0
        case TLS1_3_CK_AES_128_GCM_SHA256:
2088
0
        case TLS1_3_CK_AES_256_GCM_SHA384:
2089
0
        case TLS1_3_CK_CHACHA20_POLY1305_SHA256:
2090
0
            break;
2091
0
        default:
2092
0
            return 1;
2093
0
        }
2094
2095
    /*
2096
     * For historical reasons we will allow ECHDE to be selected by a server
2097
     * in SSLv3 if we are a client
2098
     */
2099
0
    if (minversion == TLS1_VERSION
2100
0
            && ecdhe
2101
0
            && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
2102
0
        minversion = SSL3_VERSION;
2103
2104
0
    if (ssl_version_cmp(s, minversion, s->s3.tmp.max_ver) > 0
2105
0
        || ssl_version_cmp(s, maxversion, s->s3.tmp.min_ver) < 0)
2106
0
        return 1;
2107
2108
0
    return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
2109
0
}
2110
2111
int tls_use_ticket(SSL_CONNECTION *s)
2112
3.93k
{
2113
3.93k
    if ((s->options & SSL_OP_NO_TICKET))
2114
0
        return 0;
2115
3.93k
    return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
2116
3.93k
}
2117
2118
int tls1_set_server_sigalgs(SSL_CONNECTION *s)
2119
2.96k
{
2120
2.96k
    size_t i;
2121
2122
    /* Clear any shared signature algorithms */
2123
2.96k
    OPENSSL_free(s->shared_sigalgs);
2124
2.96k
    s->shared_sigalgs = NULL;
2125
2.96k
    s->shared_sigalgslen = 0;
2126
2127
    /* Clear certificate validity flags */
2128
2.96k
    if (s->s3.tmp.valid_flags)
2129
0
        memset(s->s3.tmp.valid_flags, 0, s->ssl_pkey_num * sizeof(uint32_t));
2130
2.96k
    else
2131
2.96k
        s->s3.tmp.valid_flags = OPENSSL_zalloc(s->ssl_pkey_num * sizeof(uint32_t));
2132
2.96k
    if (s->s3.tmp.valid_flags == NULL)
2133
0
        return 0;
2134
    /*
2135
     * If peer sent no signature algorithms check to see if we support
2136
     * the default algorithm for each certificate type
2137
     */
2138
2.96k
    if (s->s3.tmp.peer_cert_sigalgs == NULL
2139
2.96k
            && s->s3.tmp.peer_sigalgs == NULL) {
2140
2.19k
        const uint16_t *sent_sigs;
2141
2.19k
        size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
2142
2143
21.9k
        for (i = 0; i < s->ssl_pkey_num; i++) {
2144
19.7k
            const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i);
2145
19.7k
            size_t j;
2146
2147
19.7k
            if (lu == NULL)
2148
13.1k
                continue;
2149
            /* Check default matches a type we sent */
2150
145k
            for (j = 0; j < sent_sigslen; j++) {
2151
145k
                if (lu->sigalg == sent_sigs[j]) {
2152
5.92k
                        s->s3.tmp.valid_flags[i] = CERT_PKEY_SIGN;
2153
5.92k
                        break;
2154
5.92k
                }
2155
145k
            }
2156
6.59k
        }
2157
2.19k
        return 1;
2158
2.19k
    }
2159
2160
770
    if (!tls1_process_sigalgs(s)) {
2161
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2162
0
        return 0;
2163
0
    }
2164
770
    if (s->shared_sigalgs != NULL)
2165
761
        return 1;
2166
2167
    /* Fatal error if no shared signature algorithms */
2168
770
    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
2169
9
             SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
2170
9
    return 0;
2171
770
}
2172
2173
/*-
2174
 * Gets the ticket information supplied by the client if any.
2175
 *
2176
 *   hello: The parsed ClientHello data
2177
 *   ret: (output) on return, if a ticket was decrypted, then this is set to
2178
 *       point to the resulting session.
2179
 */
2180
SSL_TICKET_STATUS tls_get_ticket_from_client(SSL_CONNECTION *s,
2181
                                             CLIENTHELLO_MSG *hello,
2182
                                             SSL_SESSION **ret)
2183
3.48k
{
2184
3.48k
    size_t size;
2185
3.48k
    RAW_EXTENSION *ticketext;
2186
2187
3.48k
    *ret = NULL;
2188
3.48k
    s->ext.ticket_expected = 0;
2189
2190
    /*
2191
     * If tickets disabled or not supported by the protocol version
2192
     * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
2193
     * resumption.
2194
     */
2195
3.48k
    if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
2196
0
        return SSL_TICKET_NONE;
2197
2198
3.48k
    ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket];
2199
3.48k
    if (!ticketext->present)
2200
2.95k
        return SSL_TICKET_NONE;
2201
2202
533
    size = PACKET_remaining(&ticketext->data);
2203
2204
533
    return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size,
2205
533
                              hello->session_id, hello->session_id_len, ret);
2206
3.48k
}
2207
2208
/*-
2209
 * tls_decrypt_ticket attempts to decrypt a session ticket.
2210
 *
2211
 * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are
2212
 * expecting a pre-shared key ciphersuite, in which case we have no use for
2213
 * session tickets and one will never be decrypted, nor will
2214
 * s->ext.ticket_expected be set to 1.
2215
 *
2216
 * Side effects:
2217
 *   Sets s->ext.ticket_expected to 1 if the server will have to issue
2218
 *   a new session ticket to the client because the client indicated support
2219
 *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2220
 *   a session ticket or we couldn't use the one it gave us, or if
2221
 *   s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
2222
 *   Otherwise, s->ext.ticket_expected is set to 0.
2223
 *
2224
 *   etick: points to the body of the session ticket extension.
2225
 *   eticklen: the length of the session tickets extension.
2226
 *   sess_id: points at the session ID.
2227
 *   sesslen: the length of the session ID.
2228
 *   psess: (output) on return, if a ticket was decrypted, then this is set to
2229
 *       point to the resulting session.
2230
 */
2231
SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
2232
                                     const unsigned char *etick,
2233
                                     size_t eticklen,
2234
                                     const unsigned char *sess_id,
2235
                                     size_t sesslen, SSL_SESSION **psess)
2236
533
{
2237
533
    SSL_SESSION *sess = NULL;
2238
533
    unsigned char *sdec;
2239
533
    const unsigned char *p;
2240
533
    int slen, ivlen, renew_ticket = 0, declen;
2241
533
    SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER;
2242
533
    size_t mlen;
2243
533
    unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2244
533
    SSL_HMAC *hctx = NULL;
2245
533
    EVP_CIPHER_CTX *ctx = NULL;
2246
533
    SSL_CTX *tctx = s->session_ctx;
2247
533
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
2248
2249
533
    if (eticklen == 0) {
2250
        /*
2251
         * The client will accept a ticket but doesn't currently have
2252
         * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3
2253
         */
2254
394
        ret = SSL_TICKET_EMPTY;
2255
394
        goto end;
2256
394
    }
2257
139
    if (!SSL_CONNECTION_IS_TLS13(s) && s->ext.session_secret_cb) {
2258
        /*
2259
         * Indicate that the ticket couldn't be decrypted rather than
2260
         * generating the session from ticket now, trigger
2261
         * abbreviated handshake based on external mechanism to
2262
         * calculate the master secret later.
2263
         */
2264
0
        ret = SSL_TICKET_NO_DECRYPT;
2265
0
        goto end;
2266
0
    }
2267
2268
    /* Need at least keyname + iv */
2269
139
    if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) {
2270
35
        ret = SSL_TICKET_NO_DECRYPT;
2271
35
        goto end;
2272
35
    }
2273
2274
    /* Initialize session ticket encryption and HMAC contexts */
2275
104
    hctx = ssl_hmac_new(tctx);
2276
104
    if (hctx == NULL) {
2277
0
        ret = SSL_TICKET_FATAL_ERR_MALLOC;
2278
0
        goto end;
2279
0
    }
2280
104
    ctx = EVP_CIPHER_CTX_new();
2281
104
    if (ctx == NULL) {
2282
0
        ret = SSL_TICKET_FATAL_ERR_MALLOC;
2283
0
        goto end;
2284
0
    }
2285
104
#ifndef OPENSSL_NO_DEPRECATED_3_0
2286
104
    if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL)
2287
#else
2288
    if (tctx->ext.ticket_key_evp_cb != NULL)
2289
#endif
2290
0
    {
2291
0
        unsigned char *nctick = (unsigned char *)etick;
2292
0
        int rv = 0;
2293
2294
0
        if (tctx->ext.ticket_key_evp_cb != NULL)
2295
0
            rv = tctx->ext.ticket_key_evp_cb(SSL_CONNECTION_GET_SSL(s), nctick,
2296
0
                                             nctick + TLSEXT_KEYNAME_LENGTH,
2297
0
                                             ctx,
2298
0
                                             ssl_hmac_get0_EVP_MAC_CTX(hctx),
2299
0
                                             0);
2300
0
#ifndef OPENSSL_NO_DEPRECATED_3_0
2301
0
        else if (tctx->ext.ticket_key_cb != NULL)
2302
            /* if 0 is returned, write an empty ticket */
2303
0
            rv = tctx->ext.ticket_key_cb(SSL_CONNECTION_GET_SSL(s), nctick,
2304
0
                                         nctick + TLSEXT_KEYNAME_LENGTH,
2305
0
                                         ctx, ssl_hmac_get0_HMAC_CTX(hctx), 0);
2306
0
#endif
2307
0
        if (rv < 0) {
2308
0
            ret = SSL_TICKET_FATAL_ERR_OTHER;
2309
0
            goto end;
2310
0
        }
2311
0
        if (rv == 0) {
2312
0
            ret = SSL_TICKET_NO_DECRYPT;
2313
0
            goto end;
2314
0
        }
2315
0
        if (rv == 2)
2316
0
            renew_ticket = 1;
2317
104
    } else {
2318
104
        EVP_CIPHER *aes256cbc = NULL;
2319
2320
        /* Check key name matches */
2321
104
        if (memcmp(etick, tctx->ext.tick_key_name,
2322
104
                   TLSEXT_KEYNAME_LENGTH) != 0) {
2323
87
            ret = SSL_TICKET_NO_DECRYPT;
2324
87
            goto end;
2325
87
        }
2326
2327
17
        aes256cbc = EVP_CIPHER_fetch(sctx->libctx, "AES-256-CBC",
2328
17
                                     sctx->propq);
2329
17
        if (aes256cbc == NULL
2330
17
            || ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key,
2331
17
                             sizeof(tctx->ext.secure->tick_hmac_key),
2332
17
                             "SHA256") <= 0
2333
17
            || EVP_DecryptInit_ex(ctx, aes256cbc, NULL,
2334
17
                                  tctx->ext.secure->tick_aes_key,
2335
17
                                  etick + TLSEXT_KEYNAME_LENGTH) <= 0) {
2336
0
            EVP_CIPHER_free(aes256cbc);
2337
0
            ret = SSL_TICKET_FATAL_ERR_OTHER;
2338
0
            goto end;
2339
0
        }
2340
17
        EVP_CIPHER_free(aes256cbc);
2341
17
        if (SSL_CONNECTION_IS_TLS13(s))
2342
0
            renew_ticket = 1;
2343
17
    }
2344
    /*
2345
     * Attempt to process session ticket, first conduct sanity and integrity
2346
     * checks on ticket.
2347
     */
2348
17
    mlen = ssl_hmac_size(hctx);
2349
17
    if (mlen == 0) {
2350
0
        ret = SSL_TICKET_FATAL_ERR_OTHER;
2351
0
        goto end;
2352
0
    }
2353
2354
17
    ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
2355
17
    if (ivlen < 0) {
2356
0
        ret = SSL_TICKET_FATAL_ERR_OTHER;
2357
0
        goto end;
2358
0
    }
2359
2360
    /* Sanity check ticket length: must exceed keyname + IV + HMAC */
2361
17
    if (eticklen <= TLSEXT_KEYNAME_LENGTH + ivlen + mlen) {
2362
17
        ret = SSL_TICKET_NO_DECRYPT;
2363
17
        goto end;
2364
17
    }
2365
0
    eticklen -= mlen;
2366
    /* Check HMAC of encrypted ticket */
2367
0
    if (ssl_hmac_update(hctx, etick, eticklen) <= 0
2368
0
        || ssl_hmac_final(hctx, tick_hmac, NULL, sizeof(tick_hmac)) <= 0) {
2369
0
        ret = SSL_TICKET_FATAL_ERR_OTHER;
2370
0
        goto end;
2371
0
    }
2372
2373
0
    if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
2374
0
        ret = SSL_TICKET_NO_DECRYPT;
2375
0
        goto end;
2376
0
    }
2377
    /* Attempt to decrypt session data */
2378
    /* Move p after IV to start of encrypted ticket, update length */
2379
0
    p = etick + TLSEXT_KEYNAME_LENGTH + ivlen;
2380
0
    eticklen -= TLSEXT_KEYNAME_LENGTH + ivlen;
2381
0
    sdec = OPENSSL_malloc(eticklen);
2382
0
    if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
2383
0
                                          (int)eticklen) <= 0) {
2384
0
        OPENSSL_free(sdec);
2385
0
        ret = SSL_TICKET_FATAL_ERR_OTHER;
2386
0
        goto end;
2387
0
    }
2388
0
    if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
2389
0
        OPENSSL_free(sdec);
2390
0
        ret = SSL_TICKET_NO_DECRYPT;
2391
0
        goto end;
2392
0
    }
2393
0
    slen += declen;
2394
0
    p = sdec;
2395
2396
0
    sess = d2i_SSL_SESSION_ex(NULL, &p, slen, sctx->libctx, sctx->propq);
2397
0
    slen -= p - sdec;
2398
0
    OPENSSL_free(sdec);
2399
0
    if (sess) {
2400
        /* Some additional consistency checks */
2401
0
        if (slen != 0) {
2402
0
            SSL_SESSION_free(sess);
2403
0
            sess = NULL;
2404
0
            ret = SSL_TICKET_NO_DECRYPT;
2405
0
            goto end;
2406
0
        }
2407
        /*
2408
         * The session ID, if non-empty, is used by some clients to detect
2409
         * that the ticket has been accepted. So we copy it to the session
2410
         * structure. If it is empty set length to zero as required by
2411
         * standard.
2412
         */
2413
0
        if (sesslen) {
2414
0
            memcpy(sess->session_id, sess_id, sesslen);
2415
0
            sess->session_id_length = sesslen;
2416
0
        }
2417
0
        if (renew_ticket)
2418
0
            ret = SSL_TICKET_SUCCESS_RENEW;
2419
0
        else
2420
0
            ret = SSL_TICKET_SUCCESS;
2421
0
        goto end;
2422
0
    }
2423
0
    ERR_clear_error();
2424
    /*
2425
     * For session parse failure, indicate that we need to send a new ticket.
2426
     */
2427
0
    ret = SSL_TICKET_NO_DECRYPT;
2428
2429
533
 end:
2430
533
    EVP_CIPHER_CTX_free(ctx);
2431
533
    ssl_hmac_free(hctx);
2432
2433
    /*
2434
     * If set, the decrypt_ticket_cb() is called unless a fatal error was
2435
     * detected above. The callback is responsible for checking |ret| before it
2436
     * performs any action
2437
     */
2438
533
    if (s->session_ctx->decrypt_ticket_cb != NULL
2439
533
            && (ret == SSL_TICKET_EMPTY
2440
0
                || ret == SSL_TICKET_NO_DECRYPT
2441
0
                || ret == SSL_TICKET_SUCCESS
2442
0
                || ret == SSL_TICKET_SUCCESS_RENEW)) {
2443
0
        size_t keyname_len = eticklen;
2444
0
        int retcb;
2445
2446
0
        if (keyname_len > TLSEXT_KEYNAME_LENGTH)
2447
0
            keyname_len = TLSEXT_KEYNAME_LENGTH;
2448
0
        retcb = s->session_ctx->decrypt_ticket_cb(SSL_CONNECTION_GET_SSL(s),
2449
0
                                                  sess, etick, keyname_len,
2450
0
                                                  ret,
2451
0
                                                  s->session_ctx->ticket_cb_data);
2452
0
        switch (retcb) {
2453
0
        case SSL_TICKET_RETURN_ABORT:
2454
0
            ret = SSL_TICKET_FATAL_ERR_OTHER;
2455
0
            break;
2456
2457
0
        case SSL_TICKET_RETURN_IGNORE:
2458
0
            ret = SSL_TICKET_NONE;
2459
0
            SSL_SESSION_free(sess);
2460
0
            sess = NULL;
2461
0
            break;
2462
2463
0
        case SSL_TICKET_RETURN_IGNORE_RENEW:
2464
0
            if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT)
2465
0
                ret = SSL_TICKET_NO_DECRYPT;
2466
            /* else the value of |ret| will already do the right thing */
2467
0
            SSL_SESSION_free(sess);
2468
0
            sess = NULL;
2469
0
            break;
2470
2471
0
        case SSL_TICKET_RETURN_USE:
2472
0
        case SSL_TICKET_RETURN_USE_RENEW:
2473
0
            if (ret != SSL_TICKET_SUCCESS
2474
0
                    && ret != SSL_TICKET_SUCCESS_RENEW)
2475
0
                ret = SSL_TICKET_FATAL_ERR_OTHER;
2476
0
            else if (retcb == SSL_TICKET_RETURN_USE)
2477
0
                ret = SSL_TICKET_SUCCESS;
2478
0
            else
2479
0
                ret = SSL_TICKET_SUCCESS_RENEW;
2480
0
            break;
2481
2482
0
        default:
2483
0
            ret = SSL_TICKET_FATAL_ERR_OTHER;
2484
0
        }
2485
0
    }
2486
2487
533
    if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s)) {
2488
533
        switch (ret) {
2489
139
        case SSL_TICKET_NO_DECRYPT:
2490
139
        case SSL_TICKET_SUCCESS_RENEW:
2491
533
        case SSL_TICKET_EMPTY:
2492
533
            s->ext.ticket_expected = 1;
2493
533
        }
2494
533
    }
2495
2496
533
    *psess = sess;
2497
2498
533
    return ret;
2499
533
}
2500
2501
/* Check to see if a signature algorithm is allowed */
2502
static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op,
2503
                                const SIGALG_LOOKUP *lu)
2504
26.4k
{
2505
26.4k
    unsigned char sigalgstr[2];
2506
26.4k
    int secbits;
2507
2508
26.4k
    if (lu == NULL || !lu->enabled)
2509
0
        return 0;
2510
    /* DSA is not allowed in TLS 1.3 */
2511
26.4k
    if (SSL_CONNECTION_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
2512
0
        return 0;
2513
    /*
2514
     * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3
2515
     * spec
2516
     */
2517
26.4k
    if (!s->server && !SSL_CONNECTION_IS_DTLS(s)
2518
26.4k
        && s->s3.tmp.min_ver >= TLS1_3_VERSION
2519
26.4k
        && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
2520
0
            || lu->hash_idx == SSL_MD_MD5_IDX
2521
0
            || lu->hash_idx == SSL_MD_SHA224_IDX))
2522
0
        return 0;
2523
2524
    /* See if public key algorithm allowed */
2525
26.4k
    if (ssl_cert_is_disabled(SSL_CONNECTION_GET_CTX(s), lu->sig_idx))
2526
0
        return 0;
2527
2528
26.4k
    if (lu->sig == NID_id_GostR3410_2012_256
2529
26.4k
            || lu->sig == NID_id_GostR3410_2012_512
2530
26.4k
            || lu->sig == NID_id_GostR3410_2001) {
2531
        /* We never allow GOST sig algs on the server with TLSv1.3 */
2532
0
        if (s->server && SSL_CONNECTION_IS_TLS13(s))
2533
0
            return 0;
2534
0
        if (!s->server
2535
0
                && SSL_CONNECTION_GET_SSL(s)->method->version == TLS_ANY_VERSION
2536
0
                && s->s3.tmp.max_ver >= TLS1_3_VERSION) {
2537
0
            int i, num;
2538
0
            STACK_OF(SSL_CIPHER) *sk;
2539
2540
            /*
2541
             * We're a client that could negotiate TLSv1.3. We only allow GOST
2542
             * sig algs if we could negotiate TLSv1.2 or below and we have GOST
2543
             * ciphersuites enabled.
2544
             */
2545
2546
0
            if (s->s3.tmp.min_ver >= TLS1_3_VERSION)
2547
0
                return 0;
2548
2549
0
            sk = SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s));
2550
0
            num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0;
2551
0
            for (i = 0; i < num; i++) {
2552
0
                const SSL_CIPHER *c;
2553
2554
0
                c = sk_SSL_CIPHER_value(sk, i);
2555
                /* Skip disabled ciphers */
2556
0
                if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
2557
0
                    continue;
2558
2559
0
                if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0)
2560
0
                    break;
2561
0
            }
2562
0
            if (i == num)
2563
0
                return 0;
2564
0
        }
2565
0
    }
2566
2567
    /* Finally see if security callback allows it */
2568
26.4k
    secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
2569
26.4k
    sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
2570
26.4k
    sigalgstr[1] = lu->sigalg & 0xff;
2571
26.4k
    return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
2572
26.4k
}
2573
2574
/*
2575
 * Get a mask of disabled public key algorithms based on supported signature
2576
 * algorithms. For example if no signature algorithm supports RSA then RSA is
2577
 * disabled.
2578
 */
2579
2580
void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op)
2581
0
{
2582
0
    const uint16_t *sigalgs;
2583
0
    size_t i, sigalgslen;
2584
0
    uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA;
2585
    /*
2586
     * Go through all signature algorithms seeing if we support any
2587
     * in disabled_mask.
2588
     */
2589
0
    sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
2590
0
    for (i = 0; i < sigalgslen; i++, sigalgs++) {
2591
0
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *sigalgs);
2592
0
        const SSL_CERT_LOOKUP *clu;
2593
2594
0
        if (lu == NULL)
2595
0
            continue;
2596
2597
0
        clu = ssl_cert_lookup_by_idx(lu->sig_idx,
2598
0
                                     SSL_CONNECTION_GET_CTX(s));
2599
0
        if (clu == NULL)
2600
0
                continue;
2601
2602
        /* If algorithm is disabled see if we can enable it */
2603
0
        if ((clu->amask & disabled_mask) != 0
2604
0
                && tls12_sigalg_allowed(s, op, lu))
2605
0
            disabled_mask &= ~clu->amask;
2606
0
    }
2607
0
    *pmask_a |= disabled_mask;
2608
0
}
2609
2610
int tls12_copy_sigalgs(SSL_CONNECTION *s, WPACKET *pkt,
2611
                       const uint16_t *psig, size_t psiglen)
2612
0
{
2613
0
    size_t i;
2614
0
    int rv = 0;
2615
2616
0
    for (i = 0; i < psiglen; i++, psig++) {
2617
0
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *psig);
2618
2619
0
        if (lu == NULL
2620
0
                || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
2621
0
            continue;
2622
0
        if (!WPACKET_put_bytes_u16(pkt, *psig))
2623
0
            return 0;
2624
        /*
2625
         * If TLS 1.3 must have at least one valid TLS 1.3 message
2626
         * signing algorithm: i.e. neither RSA nor SHA1/SHA224
2627
         */
2628
0
        if (rv == 0 && (!SSL_CONNECTION_IS_TLS13(s)
2629
0
            || (lu->sig != EVP_PKEY_RSA
2630
0
                && lu->hash != NID_sha1
2631
0
                && lu->hash != NID_sha224)))
2632
0
            rv = 1;
2633
0
    }
2634
0
    if (rv == 0)
2635
0
        ERR_raise(ERR_LIB_SSL, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
2636
0
    return rv;
2637
0
}
2638
2639
/* Given preference and allowed sigalgs set shared sigalgs */
2640
static size_t tls12_shared_sigalgs(SSL_CONNECTION *s,
2641
                                   const SIGALG_LOOKUP **shsig,
2642
                                   const uint16_t *pref, size_t preflen,
2643
                                   const uint16_t *allow, size_t allowlen)
2644
1.53k
{
2645
1.53k
    const uint16_t *ptmp, *atmp;
2646
1.53k
    size_t i, j, nmatch = 0;
2647
24.9k
    for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) {
2648
23.4k
        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *ptmp);
2649
2650
        /* Skip disabled hashes or signature algorithms */
2651
23.4k
        if (lu == NULL
2652
23.4k
                || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu))
2653
5.60k
            continue;
2654
259k
        for (j = 0, atmp = allow; j < allowlen; j++, atmp++) {
2655
259k
            if (*ptmp == *atmp) {
2656
17.8k
                nmatch++;
2657
17.8k
                if (shsig)
2658
8.91k
                    *shsig++ = lu;
2659
17.8k
                break;
2660
17.8k
            }
2661
259k
        }
2662
17.8k
    }
2663
1.53k
    return nmatch;
2664
1.53k
}
2665
2666
/* Set shared signature algorithms for SSL structures */
2667
static int tls1_set_shared_sigalgs(SSL_CONNECTION *s)
2668
770
{
2669
770
    const uint16_t *pref, *allow, *conf;
2670
770
    size_t preflen, allowlen, conflen;
2671
770
    size_t nmatch;
2672
770
    const SIGALG_LOOKUP **salgs = NULL;
2673
770
    CERT *c = s->cert;
2674
770
    unsigned int is_suiteb = tls1_suiteb(s);
2675
2676
770
    OPENSSL_free(s->shared_sigalgs);
2677
770
    s->shared_sigalgs = NULL;
2678
770
    s->shared_sigalgslen = 0;
2679
    /* If client use client signature algorithms if not NULL */
2680
770
    if (!s->server && c->client_sigalgs && !is_suiteb) {
2681
0
        conf = c->client_sigalgs;
2682
0
        conflen = c->client_sigalgslen;
2683
770
    } else if (c->conf_sigalgs && !is_suiteb) {
2684
0
        conf = c->conf_sigalgs;
2685
0
        conflen = c->conf_sigalgslen;
2686
0
    } else
2687
770
        conflen = tls12_get_psigalgs(s, 0, &conf);
2688
770
    if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
2689
0
        pref = conf;
2690
0
        preflen = conflen;
2691
0
        allow = s->s3.tmp.peer_sigalgs;
2692
0
        allowlen = s->s3.tmp.peer_sigalgslen;
2693
770
    } else {
2694
770
        allow = conf;
2695
770
        allowlen = conflen;
2696
770
        pref = s->s3.tmp.peer_sigalgs;
2697
770
        preflen = s->s3.tmp.peer_sigalgslen;
2698
770
    }
2699
770
    nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
2700
770
    if (nmatch) {
2701
761
        if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL)
2702
0
            return 0;
2703
761
        nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
2704
761
    } else {
2705
9
        salgs = NULL;
2706
9
    }
2707
770
    s->shared_sigalgs = salgs;
2708
770
    s->shared_sigalgslen = nmatch;
2709
770
    return 1;
2710
770
}
2711
2712
int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen)
2713
2.99k
{
2714
2.99k
    unsigned int stmp;
2715
2.99k
    size_t size, i;
2716
2.99k
    uint16_t *buf;
2717
2718
2.99k
    size = PACKET_remaining(pkt);
2719
2720
    /* Invalid data length */
2721
2.99k
    if (size == 0 || (size & 1) != 0)
2722
2
        return 0;
2723
2724
2.99k
    size >>= 1;
2725
2726
2.99k
    if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL)
2727
0
        return 0;
2728
26.2k
    for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++)
2729
23.2k
        buf[i] = stmp;
2730
2731
2.99k
    if (i != size) {
2732
0
        OPENSSL_free(buf);
2733
0
        return 0;
2734
0
    }
2735
2736
2.99k
    OPENSSL_free(*pdest);
2737
2.99k
    *pdest = buf;
2738
2.99k
    *pdestlen = size;
2739
2740
2.99k
    return 1;
2741
2.99k
}
2742
2743
int tls1_save_sigalgs(SSL_CONNECTION *s, PACKET *pkt, int cert)
2744
969
{
2745
    /* Extension ignored for inappropriate versions */
2746
969
    if (!SSL_USE_SIGALGS(s))
2747
158
        return 1;
2748
    /* Should never happen */
2749
811
    if (s->cert == NULL)
2750
0
        return 0;
2751
2752
811
    if (cert)
2753
41
        return tls1_save_u16(pkt, &s->s3.tmp.peer_cert_sigalgs,
2754
41
                             &s->s3.tmp.peer_cert_sigalgslen);
2755
770
    else
2756
770
        return tls1_save_u16(pkt, &s->s3.tmp.peer_sigalgs,
2757
770
                             &s->s3.tmp.peer_sigalgslen);
2758
2759
811
}
2760
2761
/* Set preferred digest for each key type */
2762
2763
int tls1_process_sigalgs(SSL_CONNECTION *s)
2764
770
{
2765
770
    size_t i;
2766
770
    uint32_t *pvalid = s->s3.tmp.valid_flags;
2767
2768
770
    if (!tls1_set_shared_sigalgs(s))
2769
0
        return 0;
2770
2771
7.70k
    for (i = 0; i < s->ssl_pkey_num; i++)
2772
6.93k
        pvalid[i] = 0;
2773
2774
9.68k
    for (i = 0; i < s->shared_sigalgslen; i++) {
2775
8.91k
        const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i];
2776
8.91k
        int idx = sigptr->sig_idx;
2777
2778
        /* Ignore PKCS1 based sig algs in TLSv1.3 */
2779
8.91k
        if (SSL_CONNECTION_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA)
2780
0
            continue;
2781
        /* If not disabled indicate we can explicitly sign */
2782
8.91k
        if (pvalid[idx] == 0
2783
8.91k
            && !ssl_cert_is_disabled(SSL_CONNECTION_GET_CTX(s), idx))
2784
2.14k
            pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
2785
8.91k
    }
2786
770
    return 1;
2787
770
}
2788
2789
int SSL_get_sigalgs(SSL *s, int idx,
2790
                    int *psign, int *phash, int *psignhash,
2791
                    unsigned char *rsig, unsigned char *rhash)
2792
0
{
2793
0
    uint16_t *psig;
2794
0
    size_t numsigalgs;
2795
0
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2796
2797
0
    if (sc == NULL)
2798
0
        return 0;
2799
2800
0
    psig = sc->s3.tmp.peer_sigalgs;
2801
0
    numsigalgs = sc->s3.tmp.peer_sigalgslen;
2802
2803
0
    if (psig == NULL || numsigalgs > INT_MAX)
2804
0
        return 0;
2805
0
    if (idx >= 0) {
2806
0
        const SIGALG_LOOKUP *lu;
2807
2808
0
        if (idx >= (int)numsigalgs)
2809
0
            return 0;
2810
0
        psig += idx;
2811
0
        if (rhash != NULL)
2812
0
            *rhash = (unsigned char)((*psig >> 8) & 0xff);
2813
0
        if (rsig != NULL)
2814
0
            *rsig = (unsigned char)(*psig & 0xff);
2815
0
        lu = tls1_lookup_sigalg(sc, *psig);
2816
0
        if (psign != NULL)
2817
0
            *psign = lu != NULL ? lu->sig : NID_undef;
2818
0
        if (phash != NULL)
2819
0
            *phash = lu != NULL ? lu->hash : NID_undef;
2820
0
        if (psignhash != NULL)
2821
0
            *psignhash = lu != NULL ? lu->sigandhash : NID_undef;
2822
0
    }
2823
0
    return (int)numsigalgs;
2824
0
}
2825
2826
int SSL_get_shared_sigalgs(SSL *s, int idx,
2827
                           int *psign, int *phash, int *psignhash,
2828
                           unsigned char *rsig, unsigned char *rhash)
2829
0
{
2830
0
    const SIGALG_LOOKUP *shsigalgs;
2831
0
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2832
2833
0
    if (sc == NULL)
2834
0
        return 0;
2835
2836
0
    if (sc->shared_sigalgs == NULL
2837
0
        || idx < 0
2838
0
        || idx >= (int)sc->shared_sigalgslen
2839
0
        || sc->shared_sigalgslen > INT_MAX)
2840
0
        return 0;
2841
0
    shsigalgs = sc->shared_sigalgs[idx];
2842
0
    if (phash != NULL)
2843
0
        *phash = shsigalgs->hash;
2844
0
    if (psign != NULL)
2845
0
        *psign = shsigalgs->sig;
2846
0
    if (psignhash != NULL)
2847
0
        *psignhash = shsigalgs->sigandhash;
2848
0
    if (rsig != NULL)
2849
0
        *rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
2850
0
    if (rhash != NULL)
2851
0
        *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
2852
0
    return (int)sc->shared_sigalgslen;
2853
0
}
2854
2855
/* Maximum possible number of unique entries in sigalgs array */
2856
0
#define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2)
2857
2858
typedef struct {
2859
    size_t sigalgcnt;
2860
    /* TLSEXT_SIGALG_XXX values */
2861
    uint16_t sigalgs[TLS_MAX_SIGALGCNT];
2862
    SSL_CTX *ctx;
2863
} sig_cb_st;
2864
2865
static void get_sigorhash(int *psig, int *phash, const char *str)
2866
0
{
2867
0
    if (strcmp(str, "RSA") == 0) {
2868
0
        *psig = EVP_PKEY_RSA;
2869
0
    } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) {
2870
0
        *psig = EVP_PKEY_RSA_PSS;
2871
0
    } else if (strcmp(str, "DSA") == 0) {
2872
0
        *psig = EVP_PKEY_DSA;
2873
0
    } else if (strcmp(str, "ECDSA") == 0) {
2874
0
        *psig = EVP_PKEY_EC;
2875
0
    } else {
2876
0
        *phash = OBJ_sn2nid(str);
2877
0
        if (*phash == NID_undef)
2878
0
            *phash = OBJ_ln2nid(str);
2879
0
    }
2880
0
}
2881
/* Maximum length of a signature algorithm string component */
2882
#define TLS_MAX_SIGSTRING_LEN   40
2883
2884
static int sig_cb(const char *elem, int len, void *arg)
2885
0
{
2886
0
    sig_cb_st *sarg = arg;
2887
0
    size_t i = 0;
2888
0
    const SIGALG_LOOKUP *s;
2889
0
    char etmp[TLS_MAX_SIGSTRING_LEN], *p;
2890
0
    int sig_alg = NID_undef, hash_alg = NID_undef;
2891
0
    int ignore_unknown = 0;
2892
2893
0
    if (elem == NULL)
2894
0
        return 0;
2895
0
    if (elem[0] == '?') {
2896
0
        ignore_unknown = 1;
2897
0
        ++elem;
2898
0
        --len;
2899
0
    }
2900
0
    if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
2901
0
        return 0;
2902
0
    if (len > (int)(sizeof(etmp) - 1))
2903
0
        return 0;
2904
0
    memcpy(etmp, elem, len);
2905
0
    etmp[len] = 0;
2906
0
    p = strchr(etmp, '+');
2907
    /*
2908
     * We only allow SignatureSchemes listed in the sigalg_lookup_tbl;
2909
     * if there's no '+' in the provided name, look for the new-style combined
2910
     * name.  If not, match both sig+hash to find the needed SIGALG_LOOKUP.
2911
     * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and
2912
     * rsa_pss_rsae_* that differ only by public key OID; in such cases
2913
     * we will pick the _rsae_ variant, by virtue of them appearing earlier
2914
     * in the table.
2915
     */
2916
0
    if (p == NULL) {
2917
        /* Load provider sigalgs */
2918
0
        if (sarg->ctx != NULL) {
2919
            /* Check if a provider supports the sigalg */
2920
0
            for (i = 0; i < sarg->ctx->sigalg_list_len; i++) {
2921
0
                if (sarg->ctx->sigalg_list[i].sigalg_name != NULL
2922
0
                    && strcmp(etmp,
2923
0
                              sarg->ctx->sigalg_list[i].sigalg_name) == 0) {
2924
0
                    sarg->sigalgs[sarg->sigalgcnt++] =
2925
0
                        sarg->ctx->sigalg_list[i].code_point;
2926
0
                    break;
2927
0
                }
2928
0
            }
2929
0
        }
2930
        /* Check the built-in sigalgs */
2931
0
        if (sarg->ctx == NULL || i == sarg->ctx->sigalg_list_len) {
2932
0
            for (i = 0, s = sigalg_lookup_tbl;
2933
0
                 i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) {
2934
0
                if (s->name != NULL && strcmp(etmp, s->name) == 0) {
2935
0
                    sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
2936
0
                    break;
2937
0
                }
2938
0
            }
2939
0
            if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
2940
                /* Ignore unknown algorithms if ignore_unknown */
2941
0
                return ignore_unknown;
2942
0
            }
2943
0
        }
2944
0
    } else {
2945
0
        *p = 0;
2946
0
        p++;
2947
0
        if (*p == 0)
2948
0
            return 0;
2949
0
        get_sigorhash(&sig_alg, &hash_alg, etmp);
2950
0
        get_sigorhash(&sig_alg, &hash_alg, p);
2951
0
        if (sig_alg == NID_undef || hash_alg == NID_undef) {
2952
            /* Ignore unknown algorithms if ignore_unknown */
2953
0
            return ignore_unknown;
2954
0
        }
2955
0
        for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
2956
0
             i++, s++) {
2957
0
            if (s->hash == hash_alg && s->sig == sig_alg) {
2958
0
                sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
2959
0
                break;
2960
0
            }
2961
0
        }
2962
0
        if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
2963
            /* Ignore unknown algorithms if ignore_unknown */
2964
0
            return ignore_unknown;
2965
0
        }
2966
0
    }
2967
2968
    /* Ignore duplicates */
2969
0
    for (i = 0; i < sarg->sigalgcnt - 1; i++) {
2970
0
        if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
2971
0
            sarg->sigalgcnt--;
2972
0
            return 1;
2973
0
        }
2974
0
    }
2975
0
    return 1;
2976
0
}
2977
2978
/*
2979
 * Set supported signature algorithms based on a colon separated list of the
2980
 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
2981
 */
2982
int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client)
2983
0
{
2984
0
    sig_cb_st sig;
2985
0
    sig.sigalgcnt = 0;
2986
2987
0
    if (ctx != NULL && ssl_load_sigalgs(ctx)) {
2988
0
        sig.ctx = ctx;
2989
0
    }
2990
0
    if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
2991
0
        return 0;
2992
0
    if (sig.sigalgcnt == 0) {
2993
0
        ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
2994
0
                       "No valid signature algorithms in '%s'", str);
2995
0
        return 0;
2996
0
    }
2997
0
    if (c == NULL)
2998
0
        return 1;
2999
0
    return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3000
0
}
3001
3002
int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
3003
                     int client)
3004
0
{
3005
0
    uint16_t *sigalgs;
3006
3007
0
    if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL)
3008
0
        return 0;
3009
0
    memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs));
3010
3011
0
    if (client) {
3012
0
        OPENSSL_free(c->client_sigalgs);
3013
0
        c->client_sigalgs = sigalgs;
3014
0
        c->client_sigalgslen = salglen;
3015
0
    } else {
3016
0
        OPENSSL_free(c->conf_sigalgs);
3017
0
        c->conf_sigalgs = sigalgs;
3018
0
        c->conf_sigalgslen = salglen;
3019
0
    }
3020
3021
0
    return 1;
3022
0
}
3023
3024
int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
3025
0
{
3026
0
    uint16_t *sigalgs, *sptr;
3027
0
    size_t i;
3028
3029
0
    if (salglen & 1)
3030
0
        return 0;
3031
0
    if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL)
3032
0
        return 0;
3033
0
    for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
3034
0
        size_t j;
3035
0
        const SIGALG_LOOKUP *curr;
3036
0
        int md_id = *psig_nids++;
3037
0
        int sig_id = *psig_nids++;
3038
3039
0
        for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl);
3040
0
             j++, curr++) {
3041
0
            if (curr->hash == md_id && curr->sig == sig_id) {
3042
0
                *sptr++ = curr->sigalg;
3043
0
                break;
3044
0
            }
3045
0
        }
3046
3047
0
        if (j == OSSL_NELEM(sigalg_lookup_tbl))
3048
0
            goto err;
3049
0
    }
3050
3051
0
    if (client) {
3052
0
        OPENSSL_free(c->client_sigalgs);
3053
0
        c->client_sigalgs = sigalgs;
3054
0
        c->client_sigalgslen = salglen / 2;
3055
0
    } else {
3056
0
        OPENSSL_free(c->conf_sigalgs);
3057
0
        c->conf_sigalgs = sigalgs;
3058
0
        c->conf_sigalgslen = salglen / 2;
3059
0
    }
3060
3061
0
    return 1;
3062
3063
0
 err:
3064
0
    OPENSSL_free(sigalgs);
3065
0
    return 0;
3066
0
}
3067
3068
static int tls1_check_sig_alg(SSL_CONNECTION *s, X509 *x, int default_nid)
3069
0
{
3070
0
    int sig_nid, use_pc_sigalgs = 0;
3071
0
    size_t i;
3072
0
    const SIGALG_LOOKUP *sigalg;
3073
0
    size_t sigalgslen;
3074
3075
0
    if (default_nid == -1)
3076
0
        return 1;
3077
0
    sig_nid = X509_get_signature_nid(x);
3078
0
    if (default_nid)
3079
0
        return sig_nid == default_nid ? 1 : 0;
3080
3081
0
    if (SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.peer_cert_sigalgs != NULL) {
3082
        /*
3083
         * If we're in TLSv1.3 then we only get here if we're checking the
3084
         * chain. If the peer has specified peer_cert_sigalgs then we use them
3085
         * otherwise we default to normal sigalgs.
3086
         */
3087
0
        sigalgslen = s->s3.tmp.peer_cert_sigalgslen;
3088
0
        use_pc_sigalgs = 1;
3089
0
    } else {
3090
0
        sigalgslen = s->shared_sigalgslen;
3091
0
    }
3092
0
    for (i = 0; i < sigalgslen; i++) {
3093
0
        sigalg = use_pc_sigalgs
3094
0
                 ? tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i])
3095
0
                 : s->shared_sigalgs[i];
3096
0
        if (sigalg != NULL && sig_nid == sigalg->sigandhash)
3097
0
            return 1;
3098
0
    }
3099
0
    return 0;
3100
0
}
3101
3102
/* Check to see if a certificate issuer name matches list of CA names */
3103
static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
3104
0
{
3105
0
    const X509_NAME *nm;
3106
0
    int i;
3107
0
    nm = X509_get_issuer_name(x);
3108
0
    for (i = 0; i < sk_X509_NAME_num(names); i++) {
3109
0
        if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3110
0
            return 1;
3111
0
    }
3112
0
    return 0;
3113
0
}
3114
3115
/*
3116
 * Check certificate chain is consistent with TLS extensions and is usable by
3117
 * server. This servers two purposes: it allows users to check chains before
3118
 * passing them to the server and it allows the server to check chains before
3119
 * attempting to use them.
3120
 */
3121
3122
/* Flags which need to be set for a certificate when strict mode not set */
3123
3124
#define CERT_PKEY_VALID_FLAGS \
3125
0
        (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
3126
/* Strict mode flags */
3127
#define CERT_PKEY_STRICT_FLAGS \
3128
0
         (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3129
0
         | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
3130
3131
int tls1_check_chain(SSL_CONNECTION *s, X509 *x, EVP_PKEY *pk,
3132
                     STACK_OF(X509) *chain, int idx)
3133
26.6k
{
3134
26.6k
    int i;
3135
26.6k
    int rv = 0;
3136
26.6k
    int check_flags = 0, strict_mode;
3137
26.6k
    CERT_PKEY *cpk = NULL;
3138
26.6k
    CERT *c = s->cert;
3139
26.6k
    uint32_t *pvalid;
3140
26.6k
    unsigned int suiteb_flags = tls1_suiteb(s);
3141
3142
    /*
3143
     * Meaning of idx:
3144
     * idx == -1 means SSL_check_chain() invocation
3145
     * idx == -2 means checking client certificate chains
3146
     * idx >= 0 means checking SSL_PKEY index
3147
     *
3148
     * For RPK, where there may be no cert, we ignore -1
3149
     */
3150
26.6k
    if (idx != -1) {
3151
26.6k
        if (idx == -2) {
3152
0
            cpk = c->key;
3153
0
            idx = (int)(cpk - c->pkeys);
3154
0
        } else
3155
26.6k
            cpk = c->pkeys + idx;
3156
26.6k
        pvalid = s->s3.tmp.valid_flags + idx;
3157
26.6k
        x = cpk->x509;
3158
26.6k
        pk = cpk->privatekey;
3159
26.6k
        chain = cpk->chain;
3160
26.6k
        strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3161
26.6k
        if (tls12_rpk_and_privkey(s, idx)) {
3162
0
            if (EVP_PKEY_is_a(pk, "EC") && !tls1_check_pkey_comp(s, pk))
3163
0
                return 0;
3164
0
            *pvalid = rv = CERT_PKEY_RPK;
3165
0
            return rv;
3166
0
        }
3167
        /* If no cert or key, forget it */
3168
26.6k
        if (x == NULL || pk == NULL)
3169
17.7k
            goto end;
3170
26.6k
    } else {
3171
0
        size_t certidx;
3172
3173
0
        if (x == NULL || pk == NULL)
3174
0
            return 0;
3175
3176
0
        if (ssl_cert_lookup_by_pkey(pk, &certidx,
3177
0
                                    SSL_CONNECTION_GET_CTX(s)) == NULL)
3178
0
            return 0;
3179
0
        idx = certidx;
3180
0
        pvalid = s->s3.tmp.valid_flags + idx;
3181
3182
0
        if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3183
0
            check_flags = CERT_PKEY_STRICT_FLAGS;
3184
0
        else
3185
0
            check_flags = CERT_PKEY_VALID_FLAGS;
3186
0
        strict_mode = 1;
3187
0
    }
3188
3189
8.87k
    if (suiteb_flags) {
3190
0
        int ok;
3191
0
        if (check_flags)
3192
0
            check_flags |= CERT_PKEY_SUITEB;
3193
0
        ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3194
0
        if (ok == X509_V_OK)
3195
0
            rv |= CERT_PKEY_SUITEB;
3196
0
        else if (!check_flags)
3197
0
            goto end;
3198
0
    }
3199
3200
    /*
3201
     * Check all signature algorithms are consistent with signature
3202
     * algorithms extension if TLS 1.2 or later and strict mode.
3203
     */
3204
8.87k
    if (TLS1_get_version(SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION
3205
8.87k
        && strict_mode) {
3206
0
        int default_nid;
3207
0
        int rsign = 0;
3208
3209
0
        if (s->s3.tmp.peer_cert_sigalgs != NULL
3210
0
                || s->s3.tmp.peer_sigalgs != NULL) {
3211
0
            default_nid = 0;
3212
        /* If no sigalgs extension use defaults from RFC5246 */
3213
0
        } else {
3214
0
            switch (idx) {
3215
0
            case SSL_PKEY_RSA:
3216
0
                rsign = EVP_PKEY_RSA;
3217
0
                default_nid = NID_sha1WithRSAEncryption;
3218
0
                break;
3219
3220
0
            case SSL_PKEY_DSA_SIGN:
3221
0
                rsign = EVP_PKEY_DSA;
3222
0
                default_nid = NID_dsaWithSHA1;
3223
0
                break;
3224
3225
0
            case SSL_PKEY_ECC:
3226
0
                rsign = EVP_PKEY_EC;
3227
0
                default_nid = NID_ecdsa_with_SHA1;
3228
0
                break;
3229
3230
0
            case SSL_PKEY_GOST01:
3231
0
                rsign = NID_id_GostR3410_2001;
3232
0
                default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
3233
0
                break;
3234
3235
0
            case SSL_PKEY_GOST12_256:
3236
0
                rsign = NID_id_GostR3410_2012_256;
3237
0
                default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
3238
0
                break;
3239
3240
0
            case SSL_PKEY_GOST12_512:
3241
0
                rsign = NID_id_GostR3410_2012_512;
3242
0
                default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
3243
0
                break;
3244
3245
0
            default:
3246
0
                default_nid = -1;
3247
0
                break;
3248
0
            }
3249
0
        }
3250
        /*
3251
         * If peer sent no signature algorithms extension and we have set
3252
         * preferred signature algorithms check we support sha1.
3253
         */
3254
0
        if (default_nid > 0 && c->conf_sigalgs) {
3255
0
            size_t j;
3256
0
            const uint16_t *p = c->conf_sigalgs;
3257
0
            for (j = 0; j < c->conf_sigalgslen; j++, p++) {
3258
0
                const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *p);
3259
3260
0
                if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign)
3261
0
                    break;
3262
0
            }
3263
0
            if (j == c->conf_sigalgslen) {
3264
0
                if (check_flags)
3265
0
                    goto skip_sigs;
3266
0
                else
3267
0
                    goto end;
3268
0
            }
3269
0
        }
3270
        /* Check signature algorithm of each cert in chain */
3271
0
        if (SSL_CONNECTION_IS_TLS13(s)) {
3272
            /*
3273
             * We only get here if the application has called SSL_check_chain(),
3274
             * so check_flags is always set.
3275
             */
3276
0
            if (find_sig_alg(s, x, pk) != NULL)
3277
0
                rv |= CERT_PKEY_EE_SIGNATURE;
3278
0
        } else if (!tls1_check_sig_alg(s, x, default_nid)) {
3279
0
            if (!check_flags)
3280
0
                goto end;
3281
0
        } else
3282
0
            rv |= CERT_PKEY_EE_SIGNATURE;
3283
0
        rv |= CERT_PKEY_CA_SIGNATURE;
3284
0
        for (i = 0; i < sk_X509_num(chain); i++) {
3285
0
            if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) {
3286
0
                if (check_flags) {
3287
0
                    rv &= ~CERT_PKEY_CA_SIGNATURE;
3288
0
                    break;
3289
0
                } else
3290
0
                    goto end;
3291
0
            }
3292
0
        }
3293
0
    }
3294
    /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3295
8.87k
    else if (check_flags)
3296
0
        rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
3297
8.87k
 skip_sigs:
3298
    /* Check cert parameters are consistent */
3299
8.87k
    if (tls1_check_cert_param(s, x, 1))
3300
7.65k
        rv |= CERT_PKEY_EE_PARAM;
3301
1.22k
    else if (!check_flags)
3302
1.22k
        goto end;
3303
7.65k
    if (!s->server)
3304
0
        rv |= CERT_PKEY_CA_PARAM;
3305
    /* In strict mode check rest of chain too */
3306
7.65k
    else if (strict_mode) {
3307
0
        rv |= CERT_PKEY_CA_PARAM;
3308
0
        for (i = 0; i < sk_X509_num(chain); i++) {
3309
0
            X509 *ca = sk_X509_value(chain, i);
3310
0
            if (!tls1_check_cert_param(s, ca, 0)) {
3311
0
                if (check_flags) {
3312
0
                    rv &= ~CERT_PKEY_CA_PARAM;
3313
0
                    break;
3314
0
                } else
3315
0
                    goto end;
3316
0
            }
3317
0
        }
3318
0
    }
3319
7.65k
    if (!s->server && strict_mode) {
3320
0
        STACK_OF(X509_NAME) *ca_dn;
3321
0
        int check_type = 0;
3322
3323
0
        if (EVP_PKEY_is_a(pk, "RSA"))
3324
0
            check_type = TLS_CT_RSA_SIGN;
3325
0
        else if (EVP_PKEY_is_a(pk, "DSA"))
3326
0
            check_type = TLS_CT_DSS_SIGN;
3327
0
        else if (EVP_PKEY_is_a(pk, "EC"))
3328
0
            check_type = TLS_CT_ECDSA_SIGN;
3329
3330
0
        if (check_type) {
3331
0
            const uint8_t *ctypes = s->s3.tmp.ctype;
3332
0
            size_t j;
3333
3334
0
            for (j = 0; j < s->s3.tmp.ctype_len; j++, ctypes++) {
3335
0
                if (*ctypes == check_type) {
3336
0
                    rv |= CERT_PKEY_CERT_TYPE;
3337
0
                    break;
3338
0
                }
3339
0
            }
3340
0
            if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
3341
0
                goto end;
3342
0
        } else {
3343
0
            rv |= CERT_PKEY_CERT_TYPE;
3344
0
        }
3345
3346
0
        ca_dn = s->s3.tmp.peer_ca_names;
3347
3348
0
        if (ca_dn == NULL
3349
0
            || sk_X509_NAME_num(ca_dn) == 0
3350
0
            || ssl_check_ca_name(ca_dn, x))
3351
0
            rv |= CERT_PKEY_ISSUER_NAME;
3352
0
        else
3353
0
            for (i = 0; i < sk_X509_num(chain); i++) {
3354
0
                X509 *xtmp = sk_X509_value(chain, i);
3355
3356
0
                if (ssl_check_ca_name(ca_dn, xtmp)) {
3357
0
                    rv |= CERT_PKEY_ISSUER_NAME;
3358
0
                    break;
3359
0
                }
3360
0
            }
3361
3362
0
        if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
3363
0
            goto end;
3364
0
    } else
3365
7.65k
        rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
3366
3367
7.65k
    if (!check_flags || (rv & check_flags) == check_flags)
3368
7.65k
        rv |= CERT_PKEY_VALID;
3369
3370
26.6k
 end:
3371
3372
26.6k
    if (TLS1_get_version(SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION)
3373
0
        rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN);
3374
26.6k
    else
3375
26.6k
        rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
3376
3377
    /*
3378
     * When checking a CERT_PKEY structure all flags are irrelevant if the
3379
     * chain is invalid.
3380
     */
3381
26.6k
    if (!check_flags) {
3382
26.6k
        if (rv & CERT_PKEY_VALID) {
3383
7.65k
            *pvalid = rv;
3384
18.9k
        } else {
3385
            /* Preserve sign and explicit sign flag, clear rest */
3386
18.9k
            *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
3387
18.9k
            return 0;
3388
18.9k
        }
3389
26.6k
    }
3390
7.65k
    return rv;
3391
26.6k
}
3392
3393
/* Set validity of certificates in an SSL structure */
3394
void tls1_set_cert_validity(SSL_CONNECTION *s)
3395
2.95k
{
3396
2.95k
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
3397
2.95k
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
3398
2.95k
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
3399
2.95k
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
3400
2.95k
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
3401
2.95k
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
3402
2.95k
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
3403
2.95k
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519);
3404
2.95k
    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448);
3405
2.95k
}
3406
3407
/* User level utility function to check a chain is suitable */
3408
int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
3409
0
{
3410
0
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3411
3412
0
    if (sc == NULL)
3413
0
        return 0;
3414
3415
0
    return tls1_check_chain(sc, x, pk, chain, -1);
3416
0
}
3417
3418
EVP_PKEY *ssl_get_auto_dh(SSL_CONNECTION *s)
3419
0
{
3420
0
    EVP_PKEY *dhp = NULL;
3421
0
    BIGNUM *p;
3422
0
    int dh_secbits = 80, sec_level_bits;
3423
0
    EVP_PKEY_CTX *pctx = NULL;
3424
0
    OSSL_PARAM_BLD *tmpl = NULL;
3425
0
    OSSL_PARAM *params = NULL;
3426
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
3427
3428
0
    if (s->cert->dh_tmp_auto != 2) {
3429
0
        if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
3430
0
            if (s->s3.tmp.new_cipher->strength_bits == 256)
3431
0
                dh_secbits = 128;
3432
0
            else
3433
0
                dh_secbits = 80;
3434
0
        } else {
3435
0
            if (s->s3.tmp.cert == NULL)
3436
0
                return NULL;
3437
0
            dh_secbits = EVP_PKEY_get_security_bits(s->s3.tmp.cert->privatekey);
3438
0
        }
3439
0
    }
3440
3441
    /* Do not pick a prime that is too weak for the current security level */
3442
0
    sec_level_bits = ssl_get_security_level_bits(SSL_CONNECTION_GET_SSL(s),
3443
0
                                                 NULL, NULL);
3444
0
    if (dh_secbits < sec_level_bits)
3445
0
        dh_secbits = sec_level_bits;
3446
3447
0
    if (dh_secbits >= 192)
3448
0
        p = BN_get_rfc3526_prime_8192(NULL);
3449
0
    else if (dh_secbits >= 152)
3450
0
        p = BN_get_rfc3526_prime_4096(NULL);
3451
0
    else if (dh_secbits >= 128)
3452
0
        p = BN_get_rfc3526_prime_3072(NULL);
3453
0
    else if (dh_secbits >= 112)
3454
0
        p = BN_get_rfc3526_prime_2048(NULL);
3455
0
    else
3456
0
        p = BN_get_rfc2409_prime_1024(NULL);
3457
0
    if (p == NULL)
3458
0
        goto err;
3459
3460
0
    pctx = EVP_PKEY_CTX_new_from_name(sctx->libctx, "DH", sctx->propq);
3461
0
    if (pctx == NULL
3462
0
            || EVP_PKEY_fromdata_init(pctx) != 1)
3463
0
        goto err;
3464
3465
0
    tmpl = OSSL_PARAM_BLD_new();
3466
0
    if (tmpl == NULL
3467
0
            || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p)
3468
0
            || !OSSL_PARAM_BLD_push_uint(tmpl, OSSL_PKEY_PARAM_FFC_G, 2))
3469
0
        goto err;
3470
3471
0
    params = OSSL_PARAM_BLD_to_param(tmpl);
3472
0
    if (params == NULL
3473
0
            || EVP_PKEY_fromdata(pctx, &dhp, EVP_PKEY_KEY_PARAMETERS, params) != 1)
3474
0
        goto err;
3475
3476
0
err:
3477
0
    OSSL_PARAM_free(params);
3478
0
    OSSL_PARAM_BLD_free(tmpl);
3479
0
    EVP_PKEY_CTX_free(pctx);
3480
0
    BN_free(p);
3481
0
    return dhp;
3482
0
}
3483
3484
static int ssl_security_cert_key(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x,
3485
                                 int op)
3486
16.4k
{
3487
16.4k
    int secbits = -1;
3488
16.4k
    EVP_PKEY *pkey = X509_get0_pubkey(x);
3489
3490
16.4k
    if (pkey) {
3491
        /*
3492
         * If no parameters this will return -1 and fail using the default
3493
         * security callback for any non-zero security level. This will
3494
         * reject keys which omit parameters but this only affects DSA and
3495
         * omission of parameters is never (?) done in practice.
3496
         */
3497
16.4k
        secbits = EVP_PKEY_get_security_bits(pkey);
3498
16.4k
    }
3499
16.4k
    if (s != NULL)
3500
2.70k
        return ssl_security(s, op, secbits, 0, x);
3501
13.7k
    else
3502
13.7k
        return ssl_ctx_security(ctx, op, secbits, 0, x);
3503
16.4k
}
3504
3505
static int ssl_security_cert_sig(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x,
3506
                                 int op)
3507
16.4k
{
3508
    /* Lookup signature algorithm digest */
3509
16.4k
    int secbits, nid, pknid;
3510
3511
    /* Don't check signature if self signed */
3512
16.4k
    if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
3513
16.4k
        return 1;
3514
0
    if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
3515
0
        secbits = -1;
3516
    /* If digest NID not defined use signature NID */
3517
0
    if (nid == NID_undef)
3518
0
        nid = pknid;
3519
0
    if (s != NULL)
3520
0
        return ssl_security(s, op, secbits, nid, x);
3521
0
    else
3522
0
        return ssl_ctx_security(ctx, op, secbits, nid, x);
3523
0
}
3524
3525
int ssl_security_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, int vfy,
3526
                      int is_ee)
3527
16.4k
{
3528
16.4k
    if (vfy)
3529
0
        vfy = SSL_SECOP_PEER;
3530
16.4k
    if (is_ee) {
3531
16.4k
        if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
3532
0
            return SSL_R_EE_KEY_TOO_SMALL;
3533
16.4k
    } else {
3534
0
        if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
3535
0
            return SSL_R_CA_KEY_TOO_SMALL;
3536
0
    }
3537
16.4k
    if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
3538
0
        return SSL_R_CA_MD_TOO_WEAK;
3539
16.4k
    return 1;
3540
16.4k
}
3541
3542
/*
3543
 * Check security of a chain, if |sk| includes the end entity certificate then
3544
 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
3545
 * one to the peer. Return values: 1 if ok otherwise error code to use
3546
 */
3547
3548
int ssl_security_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk,
3549
                            X509 *x, int vfy)
3550
2.70k
{
3551
2.70k
    int rv, start_idx, i;
3552
3553
2.70k
    if (x == NULL) {
3554
2.70k
        x = sk_X509_value(sk, 0);
3555
2.70k
        if (x == NULL)
3556
0
            return ERR_R_INTERNAL_ERROR;
3557
2.70k
        start_idx = 1;
3558
2.70k
    } else
3559
0
        start_idx = 0;
3560
3561
2.70k
    rv = ssl_security_cert(s, NULL, x, vfy, 1);
3562
2.70k
    if (rv != 1)
3563
0
        return rv;
3564
3565
2.70k
    for (i = start_idx; i < sk_X509_num(sk); i++) {
3566
0
        x = sk_X509_value(sk, i);
3567
0
        rv = ssl_security_cert(s, NULL, x, vfy, 0);
3568
0
        if (rv != 1)
3569
0
            return rv;
3570
0
    }
3571
2.70k
    return 1;
3572
2.70k
}
3573
3574
/*
3575
 * For TLS 1.2 servers check if we have a certificate which can be used
3576
 * with the signature algorithm "lu" and return index of certificate.
3577
 */
3578
3579
static int tls12_get_cert_sigalg_idx(const SSL_CONNECTION *s,
3580
                                     const SIGALG_LOOKUP *lu)
3581
3.21k
{
3582
3.21k
    int sig_idx = lu->sig_idx;
3583
3.21k
    const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx,
3584
3.21k
                                                        SSL_CONNECTION_GET_CTX(s));
3585
3586
    /* If not recognised or not supported by cipher mask it is not suitable */
3587
3.21k
    if (clu == NULL
3588
3.21k
            || (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0
3589
3.21k
            || (clu->nid == EVP_PKEY_RSA_PSS
3590
961
                && (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0))
3591
2.27k
        return -1;
3592
3593
    /* If doing RPK, the CERT_PKEY won't be "valid" */
3594
939
    if (tls12_rpk_and_privkey(s, sig_idx))
3595
0
        return  s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_RPK ? sig_idx : -1;
3596
3597
939
    return s->s3.tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
3598
939
}
3599
3600
/*
3601
 * Checks the given cert against signature_algorithm_cert restrictions sent by
3602
 * the peer (if any) as well as whether the hash from the sigalg is usable with
3603
 * the key.
3604
 * Returns true if the cert is usable and false otherwise.
3605
 */
3606
static int check_cert_usable(SSL_CONNECTION *s, const SIGALG_LOOKUP *sig,
3607
                             X509 *x, EVP_PKEY *pkey)
3608
2.29k
{
3609
2.29k
    const SIGALG_LOOKUP *lu;
3610
2.29k
    int mdnid, pknid, supported;
3611
2.29k
    size_t i;
3612
2.29k
    const char *mdname = NULL;
3613
2.29k
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
3614
3615
    /*
3616
     * If the given EVP_PKEY cannot support signing with this digest,
3617
     * the answer is simply 'no'.
3618
     */
3619
2.29k
    if (sig->hash != NID_undef)
3620
2.29k
        mdname = OBJ_nid2sn(sig->hash);
3621
2.29k
    supported = EVP_PKEY_digestsign_supports_digest(pkey, sctx->libctx,
3622
2.29k
                                                    mdname,
3623
2.29k
                                                    sctx->propq);
3624
2.29k
    if (supported <= 0)
3625
0
        return 0;
3626
3627
    /*
3628
     * The TLS 1.3 signature_algorithms_cert extension places restrictions
3629
     * on the sigalg with which the certificate was signed (by its issuer).
3630
     */
3631
2.29k
    if (s->s3.tmp.peer_cert_sigalgs != NULL) {
3632
223
        if (!X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL))
3633
0
            return 0;
3634
1.54k
        for (i = 0; i < s->s3.tmp.peer_cert_sigalgslen; i++) {
3635
1.32k
            lu = tls1_lookup_sigalg(s, s->s3.tmp.peer_cert_sigalgs[i]);
3636
1.32k
            if (lu == NULL)
3637
1.16k
                continue;
3638
3639
            /*
3640
             * This does not differentiate between the
3641
             * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
3642
             * have a chain here that lets us look at the key OID in the
3643
             * signing certificate.
3644
             */
3645
168
            if (mdnid == lu->hash && pknid == lu->sig)
3646
3
                return 1;
3647
168
        }
3648
220
        return 0;
3649
223
    }
3650
3651
    /*
3652
     * Without signat_algorithms_cert, any certificate for which we have
3653
     * a viable public key is permitted.
3654
     */
3655
2.07k
    return 1;
3656
2.29k
}
3657
3658
/*
3659
 * Returns true if |s| has a usable certificate configured for use
3660
 * with signature scheme |sig|.
3661
 * "Usable" includes a check for presence as well as applying
3662
 * the signature_algorithm_cert restrictions sent by the peer (if any).
3663
 * Returns false if no usable certificate is found.
3664
 */
3665
static int has_usable_cert(SSL_CONNECTION *s, const SIGALG_LOOKUP *sig, int idx)
3666
2.29k
{
3667
    /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */
3668
2.29k
    if (idx == -1)
3669
0
        idx = sig->sig_idx;
3670
2.29k
    if (!ssl_has_cert(s, idx))
3671
0
        return 0;
3672
3673
2.29k
    return check_cert_usable(s, sig, s->cert->pkeys[idx].x509,
3674
2.29k
                             s->cert->pkeys[idx].privatekey);
3675
2.29k
}
3676
3677
/*
3678
 * Returns true if the supplied cert |x| and key |pkey| is usable with the
3679
 * specified signature scheme |sig|, or false otherwise.
3680
 */
3681
static int is_cert_usable(SSL_CONNECTION *s, const SIGALG_LOOKUP *sig, X509 *x,
3682
                          EVP_PKEY *pkey)
3683
0
{
3684
0
    size_t idx;
3685
3686
0
    if (ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s)) == NULL)
3687
0
        return 0;
3688
3689
    /* Check the key is consistent with the sig alg */
3690
0
    if ((int)idx != sig->sig_idx)
3691
0
        return 0;
3692
3693
0
    return check_cert_usable(s, sig, x, pkey);
3694
0
}
3695
3696
/*
3697
 * Find a signature scheme that works with the supplied certificate |x| and key
3698
 * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our
3699
 * available certs/keys to find one that works.
3700
 */
3701
static const SIGALG_LOOKUP *find_sig_alg(SSL_CONNECTION *s, X509 *x,
3702
                                         EVP_PKEY *pkey)
3703
0
{
3704
0
    const SIGALG_LOOKUP *lu = NULL;
3705
0
    size_t i;
3706
0
    int curve = -1;
3707
0
    EVP_PKEY *tmppkey;
3708
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
3709
3710
    /* Look for a shared sigalgs matching possible certificates */
3711
0
    for (i = 0; i < s->shared_sigalgslen; i++) {
3712
0
        lu = s->shared_sigalgs[i];
3713
3714
        /* Skip SHA1, SHA224, DSA and RSA if not PSS */
3715
0
        if (lu->hash == NID_sha1
3716
0
            || lu->hash == NID_sha224
3717
0
            || lu->sig == EVP_PKEY_DSA
3718
0
            || lu->sig == EVP_PKEY_RSA)
3719
0
            continue;
3720
        /* Check that we have a cert, and signature_algorithms_cert */
3721
0
        if (!tls1_lookup_md(sctx, lu, NULL))
3722
0
            continue;
3723
0
        if ((pkey == NULL && !has_usable_cert(s, lu, -1))
3724
0
                || (pkey != NULL && !is_cert_usable(s, lu, x, pkey)))
3725
0
            continue;
3726
3727
0
        tmppkey = (pkey != NULL) ? pkey
3728
0
                                 : s->cert->pkeys[lu->sig_idx].privatekey;
3729
3730
0
        if (lu->sig == EVP_PKEY_EC) {
3731
0
            if (curve == -1)
3732
0
                curve = ssl_get_EC_curve_nid(tmppkey);
3733
0
            if (lu->curve != NID_undef && curve != lu->curve)
3734
0
                continue;
3735
0
        } else if (lu->sig == EVP_PKEY_RSA_PSS) {
3736
            /* validate that key is large enough for the signature algorithm */
3737
0
            if (!rsa_pss_check_min_key_size(sctx, tmppkey, lu))
3738
0
                continue;
3739
0
        }
3740
0
        break;
3741
0
    }
3742
3743
0
    if (i == s->shared_sigalgslen)
3744
0
        return NULL;
3745
3746
0
    return lu;
3747
0
}
3748
3749
/*
3750
 * Choose an appropriate signature algorithm based on available certificates
3751
 * Sets chosen certificate and signature algorithm.
3752
 *
3753
 * For servers if we fail to find a required certificate it is a fatal error,
3754
 * an appropriate error code is set and a TLS alert is sent.
3755
 *
3756
 * For clients fatalerrs is set to 0. If a certificate is not suitable it is not
3757
 * a fatal error: we will either try another certificate or not present one
3758
 * to the server. In this case no error is set.
3759
 */
3760
int tls_choose_sigalg(SSL_CONNECTION *s, int fatalerrs)
3761
2.84k
{
3762
2.84k
    const SIGALG_LOOKUP *lu = NULL;
3763
2.84k
    int sig_idx = -1;
3764
3765
2.84k
    s->s3.tmp.cert = NULL;
3766
2.84k
    s->s3.tmp.sigalg = NULL;
3767
3768
2.84k
    if (SSL_CONNECTION_IS_TLS13(s)) {
3769
0
        lu = find_sig_alg(s, NULL, NULL);
3770
0
        if (lu == NULL) {
3771
0
            if (!fatalerrs)
3772
0
                return 1;
3773
0
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3774
0
                     SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
3775
0
            return 0;
3776
0
        }
3777
2.84k
    } else {
3778
        /* If ciphersuite doesn't require a cert nothing to do */
3779
2.84k
        if (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aCERT))
3780
76
            return 1;
3781
2.76k
        if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys))
3782
0
                return 1;
3783
3784
2.76k
        if (SSL_USE_SIGALGS(s)) {
3785
2.13k
            size_t i;
3786
2.13k
            if (s->s3.tmp.peer_sigalgs != NULL) {
3787
748
                int curve = -1;
3788
748
                SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
3789
3790
                /* For Suite B need to match signature algorithm to curve */
3791
748
                if (tls1_suiteb(s))
3792
0
                    curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC]
3793
0
                                                 .privatekey);
3794
3795
                /*
3796
                 * Find highest preference signature algorithm matching
3797
                 * cert type
3798
                 */
3799
3.27k
                for (i = 0; i < s->shared_sigalgslen; i++) {
3800
3.21k
                    lu = s->shared_sigalgs[i];
3801
3802
3.21k
                    if (s->server) {
3803
3.21k
                        if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
3804
2.31k
                            continue;
3805
3.21k
                    } else {
3806
0
                        int cc_idx = s->cert->key - s->cert->pkeys;
3807
3808
0
                        sig_idx = lu->sig_idx;
3809
0
                        if (cc_idx != sig_idx)
3810
0
                            continue;
3811
0
                    }
3812
                    /* Check that we have a cert, and sig_algs_cert */
3813
906
                    if (!has_usable_cert(s, lu, sig_idx))
3814
220
                        continue;
3815
686
                    if (lu->sig == EVP_PKEY_RSA_PSS) {
3816
                        /* validate that key is large enough for the signature algorithm */
3817
438
                        EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey;
3818
3819
438
                        if (!rsa_pss_check_min_key_size(sctx, pkey, lu))
3820
0
                            continue;
3821
438
                    }
3822
686
                    if (curve == -1 || lu->curve == curve)
3823
686
                        break;
3824
686
                }
3825
748
#ifndef OPENSSL_NO_GOST
3826
                /*
3827
                 * Some Windows-based implementations do not send GOST algorithms indication
3828
                 * in supported_algorithms extension, so when we have GOST-based ciphersuite,
3829
                 * we have to assume GOST support.
3830
                 */
3831
748
                if (i == s->shared_sigalgslen
3832
748
                    && (s->s3.tmp.new_cipher->algorithm_auth
3833
62
                        & (SSL_aGOST01 | SSL_aGOST12)) != 0) {
3834
0
                  if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
3835
0
                    if (!fatalerrs)
3836
0
                      return 1;
3837
0
                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3838
0
                             SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
3839
0
                    return 0;
3840
0
                  } else {
3841
0
                    i = 0;
3842
0
                    sig_idx = lu->sig_idx;
3843
0
                  }
3844
0
                }
3845
748
#endif
3846
748
                if (i == s->shared_sigalgslen) {
3847
62
                    if (!fatalerrs)
3848
0
                        return 1;
3849
62
                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3850
62
                             SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
3851
62
                    return 0;
3852
62
                }
3853
1.39k
            } else {
3854
                /*
3855
                 * If we have no sigalg use defaults
3856
                 */
3857
1.39k
                const uint16_t *sent_sigs;
3858
1.39k
                size_t sent_sigslen;
3859
3860
1.39k
                if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
3861
0
                    if (!fatalerrs)
3862
0
                        return 1;
3863
0
                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3864
0
                             SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
3865
0
                    return 0;
3866
0
                }
3867
3868
                /* Check signature matches a type we sent */
3869
1.39k
                sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
3870
28.9k
                for (i = 0; i < sent_sigslen; i++, sent_sigs++) {
3871
28.9k
                    if (lu->sigalg == *sent_sigs
3872
28.9k
                            && has_usable_cert(s, lu, lu->sig_idx))
3873
1.39k
                        break;
3874
28.9k
                }
3875
1.39k
                if (i == sent_sigslen) {
3876
0
                    if (!fatalerrs)
3877
0
                        return 1;
3878
0
                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3879
0
                             SSL_R_WRONG_SIGNATURE_TYPE);
3880
0
                    return 0;
3881
0
                }
3882
1.39k
            }
3883
2.13k
        } else {
3884
629
            if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
3885
0
                if (!fatalerrs)
3886
0
                    return 1;
3887
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3888
0
                         SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
3889
0
                return 0;
3890
0
            }
3891
629
        }
3892
2.76k
    }
3893
2.70k
    if (sig_idx == -1)
3894
2.01k
        sig_idx = lu->sig_idx;
3895
2.70k
    s->s3.tmp.cert = &s->cert->pkeys[sig_idx];
3896
2.70k
    s->cert->key = s->s3.tmp.cert;
3897
2.70k
    s->s3.tmp.sigalg = lu;
3898
2.70k
    return 1;
3899
2.84k
}
3900
3901
int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode)
3902
0
{
3903
0
    if (mode != TLSEXT_max_fragment_length_DISABLED
3904
0
            && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
3905
0
        ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
3906
0
        return 0;
3907
0
    }
3908
3909
0
    ctx->ext.max_fragment_len_mode = mode;
3910
0
    return 1;
3911
0
}
3912
3913
int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode)
3914
0
{
3915
0
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
3916
3917
0
    if (sc == NULL
3918
0
        || (IS_QUIC(ssl) && mode != TLSEXT_max_fragment_length_DISABLED))
3919
0
        return 0;
3920
3921
0
    if (mode != TLSEXT_max_fragment_length_DISABLED
3922
0
            && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) {
3923
0
        ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
3924
0
        return 0;
3925
0
    }
3926
3927
0
    sc->ext.max_fragment_len_mode = mode;
3928
0
    return 1;
3929
0
}
3930
3931
uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session)
3932
0
{
3933
0
    if (session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED)
3934
0
        return TLSEXT_max_fragment_length_DISABLED;
3935
0
    return session->ext.max_fragment_len_mode;
3936
0
}
3937
3938
/*
3939
 * Helper functions for HMAC access with legacy support included.
3940
 */
3941
SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx)
3942
104
{
3943
104
    SSL_HMAC *ret = OPENSSL_zalloc(sizeof(*ret));
3944
104
    EVP_MAC *mac = NULL;
3945
3946
104
    if (ret == NULL)
3947
0
        return NULL;
3948
104
#ifndef OPENSSL_NO_DEPRECATED_3_0
3949
104
    if (ctx->ext.ticket_key_evp_cb == NULL
3950
104
            && ctx->ext.ticket_key_cb != NULL) {
3951
0
        if (!ssl_hmac_old_new(ret))
3952
0
            goto err;
3953
0
        return ret;
3954
0
    }
3955
104
#endif
3956
104
    mac = EVP_MAC_fetch(ctx->libctx, "HMAC", ctx->propq);
3957
104
    if (mac == NULL || (ret->ctx = EVP_MAC_CTX_new(mac)) == NULL)
3958
0
        goto err;
3959
104
    EVP_MAC_free(mac);
3960
104
    return ret;
3961
0
 err:
3962
0
    EVP_MAC_CTX_free(ret->ctx);
3963
0
    EVP_MAC_free(mac);
3964
0
    OPENSSL_free(ret);
3965
0
    return NULL;
3966
104
}
3967
3968
void ssl_hmac_free(SSL_HMAC *ctx)
3969
533
{
3970
533
    if (ctx != NULL) {
3971
104
        EVP_MAC_CTX_free(ctx->ctx);
3972
104
#ifndef OPENSSL_NO_DEPRECATED_3_0
3973
104
        ssl_hmac_old_free(ctx);
3974
104
#endif
3975
104
        OPENSSL_free(ctx);
3976
104
    }
3977
533
}
3978
3979
EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx)
3980
0
{
3981
0
    return ctx->ctx;
3982
0
}
3983
3984
int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
3985
17
{
3986
17
    OSSL_PARAM params[2], *p = params;
3987
3988
17
    if (ctx->ctx != NULL) {
3989
17
        *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, md, 0);
3990
17
        *p = OSSL_PARAM_construct_end();
3991
17
        if (EVP_MAC_init(ctx->ctx, key, len, params))
3992
17
            return 1;
3993
17
    }
3994
0
#ifndef OPENSSL_NO_DEPRECATED_3_0
3995
0
    if (ctx->old_ctx != NULL)
3996
0
        return ssl_hmac_old_init(ctx, key, len, md);
3997
0
#endif
3998
0
    return 0;
3999
0
}
4000
4001
int ssl_hmac_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
4002
0
{
4003
0
    if (ctx->ctx != NULL)
4004
0
        return EVP_MAC_update(ctx->ctx, data, len);
4005
0
#ifndef OPENSSL_NO_DEPRECATED_3_0
4006
0
    if (ctx->old_ctx != NULL)
4007
0
        return ssl_hmac_old_update(ctx, data, len);
4008
0
#endif
4009
0
    return 0;
4010
0
}
4011
4012
int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len,
4013
                   size_t max_size)
4014
0
{
4015
0
    if (ctx->ctx != NULL)
4016
0
        return EVP_MAC_final(ctx->ctx, md, len, max_size);
4017
0
#ifndef OPENSSL_NO_DEPRECATED_3_0
4018
0
    if (ctx->old_ctx != NULL)
4019
0
        return ssl_hmac_old_final(ctx, md, len);
4020
0
#endif
4021
0
    return 0;
4022
0
}
4023
4024
size_t ssl_hmac_size(const SSL_HMAC *ctx)
4025
17
{
4026
17
    if (ctx->ctx != NULL)
4027
17
        return EVP_MAC_CTX_get_mac_size(ctx->ctx);
4028
0
#ifndef OPENSSL_NO_DEPRECATED_3_0
4029
0
    if (ctx->old_ctx != NULL)
4030
0
        return ssl_hmac_old_size(ctx);
4031
0
#endif
4032
0
    return 0;
4033
0
}
4034
4035
int ssl_get_EC_curve_nid(const EVP_PKEY *pkey)
4036
2.89k
{
4037
2.89k
    char gname[OSSL_MAX_NAME_SIZE];
4038
4039
2.89k
    if (EVP_PKEY_get_group_name(pkey, gname, sizeof(gname), NULL) > 0)
4040
2.89k
        return OBJ_txt2nid(gname);
4041
4042
0
    return NID_undef;
4043
2.89k
}
4044
4045
__owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey,
4046
                                     const unsigned char *enckey,
4047
                                     size_t enckeylen)
4048
0
{
4049
0
    if (EVP_PKEY_is_a(pkey, "DH")) {
4050
0
        int bits = EVP_PKEY_get_bits(pkey);
4051
4052
0
        if (bits <= 0 || enckeylen != (size_t)bits / 8)
4053
            /* the encoded key must be padded to the length of the p */
4054
0
            return 0;
4055
0
    } else if (EVP_PKEY_is_a(pkey, "EC")) {
4056
0
        if (enckeylen < 3 /* point format and at least 1 byte for x and y */
4057
0
            || enckey[0] != 0x04)
4058
0
            return 0;
4059
0
    }
4060
4061
0
    return EVP_PKEY_set1_encoded_public_key(pkey, enckey, enckeylen);
4062
0
}